Block printing in remote printer

@nikpony said in Block printing in remote printer:

One of the logs that creating after my attempt to print remotely.

Allow this record and try again

dma_pf

@nikpony said in Block printing in remote printer:

In one of these locations, we have a network printer Konica Minolta. In this printer we were able to print while we are in our head offices, via the ipsec tunnel. Once, i have enable pfSense firewall, we can ping and view the interface of the printer but printing is rejected.

If you are trying to access the printer by it's host name your probably going to need to allow the local network to access the remote network's DNS in order to resolve the host name. I don't know what firewall you are using on your remote network, but in pfsense it would be done at ServicesDNS/Resolver/Access Lists/. When you're pinging to the printer or accessing its GUI are you doing it by IP address? Have you tried to reach it by FQDN?

nikpony

@silence i tried to allow every rule that block this process, as i saw them in the log, with no success

nikpony

@dma_pf The other network, does not have any specific firewall, only the router's default.
Yes, i can access the printer only using the IP address. It's not possible to reach the FQDN. Due to i am very new in pfsense, as i have already open all the blocked ports in the pfsense, is it necessary to open them respectively on the remotely router part?

dma_pf

@nikpony said in Block printing in remote printer:

Yes, i can access the printer only using the IP address. It's not possible to reach the FQDN.

How is the printer set up? In other words when a client is trying to print something to that printer is it trying to reach the printer by it IP or FQDN?

nikpony

@dma_pf By IP only

dma_pf

@nikpony

Thanks for that info. It's definitely strange that you can ping the printer but it won't print by IP address. Traffic if clearly being routed from pfsense correctly. Can you post a screenshot of your firewall rules (including floating if any)? And what interface are your clients using in pfsense to try to print, the original LAN or another interface that you created?

Are there any restrictions in the printer's settings, like built in firewall rules, that would be blocking print from other networks?

nikpony

@dma_pf I appreciate your help mate!

Attached you will find my current rules.

Στιγμιότυπο 2022-02-01, 10.40.08 μ.μ..png Στιγμιότυπο 2022-02-01, 10.39.55 μ.μ..png

@nikpony, wooooooow! they are a lot of strange rule,

Let's start by reducing the amount of rule a little, for example:: this

Facebook_Block ? Allow Ipv4* LAN net * LAN NET ??? that doesn't make sense to me

Why is the allow dns to pfsense rule below the Default allow lan to any rule?

Let's start with the basics, what is the ip of your pfsense, the ip of your printer and the ip from where you print...

??

nikpony

@silence The Facebook_Block is a testing rule, rest there with no impact (i suppose).
I didn't know that the sorting of the rules affect their operation order!
So my printer's ip is 192.168.3.100 and i am trying to print from 10.168.10.198.
Pfsense ip is 10.168.10.115.

dma_pf

You have a fundamental misunderstanding of how the firewall rules work in pfsense. Immediately delete this rule on the WAN:

It is allowing anything on the internet to access anything on your internal networks!

I can help you straighten this out but it's going to take some work. Definitely read this: https://docs.netgate.com/pfsense/en/latest/firewall/index.html

I didn't know that the sorting of the rules affect their operation order!

Rules are evaluated from the top down. The first rule that gets triggered is it....no other rules below it are evaluated.

Rules on an interface are interpreted in the inbound direction as allowing/blocking clients on that interface to pass into the firewall to be routed. Client--->firewall rule on the interface ----->routed through firewall.

The WAN has a default BLOCK rule that prohibits anything from passing through the WAN and into the firewall.
The LAN interface has a default ALLOW rule that permits clients on the LAN so send traffic into the firewall.

The printer rule you have on the WAN is wrong. The way that rule is written it is saying that any IPv4 traffic coming from the WAN (ie anything from the internet) is allowed to pass through the WAN and into the router and be sent to the device at IP 192.168.3.0. That rule needs to be on the LAN (10.168.10.xxx) interface and not on the WAN. And the gateway for that rule needs to be your IPsec interface. In that way you will be policy routing (allowing) traffic initiated on the LAN destined for the printer's IP address to be directed to be sent out the IPsec tunnel.

I'll look at the rules in more detail tomorrow and will give you more feed back.

@nikpony Despues de ver el comentario de @dma_pf creo que te dejare un rato con el me parece que te puede ayudar ! de lo contrario estare aqui por si necesita ayuda.

nikpony

@silence Thanks a lot!

nikpony

@dma_pf Very appreciated for your detailed instructions! May i have to explain you further my network infrastructure

dma_pf

@nikpony said in Block printing in remote printer:

Very appreciated for your detailed instructions! May i have to explain you further my network infrastructure

You are very welcome, and I'm glad to help. I do need some more info on your infrastructure. In your earlier post you mentioned the Huawei Router.

Is that router still being used or has pfsense replaced it?
If it is still being used is it acting as a gateway to the ISP?
If so, is it in bridge mode now that you have pfsense behind it?

Does anything on the remote network need to reach back to your local LAN to access any resources on the LAN?

What is the purpose of the OpenVPN on pfsense?

nikpony

@dma_pf

So, the router is still in use, of course, and this is our gateway.
I have not set it in a bridge mode, should i do it?

Right now, remote network get into our lan through ipsec and they have access to our domain.
OpenVPN is used just for access in our sources, like ERP, mail etc.

nikpony

@dma_pf Also i have to inform you that it runs in a Hyper-V

dma_pf

@nikpony Is the router serving any other purpose other than just providing a gateway to pfsense?

All IPsec is being handled by pfsense (no IPsec configured on router)?

Is the domain all Microsoft? Is everything on the LAN part of the domain?

How do you have pfsense set to resolve DNS?

So if I understand correctly, OpenVPN is used to allow outside sources to access local resources on the LAN? Are any of those sources mobile, or are the accessing resources from fixed locations?

nikpony

@dma_pf

Router has all the management of IPSec.

The domain is Microsoft only, all devices are parts of my domain.

Attached photo of my DNS resolve settings.

Regarding the OpenVPN, you are right. There are no fixed locations, if you mean such as static ip's that using the OpenVPN.

dma_pf

@nikpony said in Block printing in remote printer:

Router has all the management of IPSec.

Is this true even for the pfsense LAN to the remote network? Why is there an IPsec interface on pfsense if all IPsec is being handled by the router?