Printing issue over two pfSense routers

aldomoro

Hello Guys
This is our previous layout of IT infrastracture. We have pfSense in datacenter together with other servers. Branches have Mikrotik routers and they are connected with pfSense via OpenVPN (you can see only one branch on the picture to keep it simple). Also laptops are connected to datacenter via OpenVPN.

origin layout.png

Everything works fine including printing, but we cannot update pfSense due to our old Mikrotik routers that are not able to keep latest security standard provided by newer pfSense version. That's why we decided to implement new pfSense and we gradually replace Mikrotik routers by Ubiqiti routers on our branches.

new layout.png

Everything works fine except printing. If printing goes through old infrastructure, the printjob is printed. But as soon as we want to print on printers behind new pfSense and Ubiqiti routers, only small prinjobs are printed. Bigger jobs finish in printing queue with errors like Win32 error code returned by the print processor "0xBCC" and other errors. I have already tried following things:

It does not play role if there is OpenVPN or IPsec between Ubiqiti and pfSense router, so I would say there is not issue with VPN protocol
If I setup printing directly from laptop to printer (without print server) and laptop and printer is within same branch, it works fine
If I print from laptop located in branch with Ubiqiti to printer that is located in branch with Mikrotik, only small printjobs are printed (even if sometimes not)
If I print from laptop located home or in branch with Mikrotik to branch with Ubiqiti, again only small prinjobs are printed
Printing between two branches with Ubiqiti routers is also unreliable
I can do ping test from any device in my network to another device
No matter if RAW or LPR protocol is used for printing. I can ping my IP and ports of my printers from anywhere
Even if I join Ubiqiti router to my old pfSense, everything is printed

Default gateway in datacenter if pfSense 1. Of course everything is routed between both pfSense routers (other applications communicate well). If printjob is send from printserver to the printer, it goes first to pfSense 1 and then to pfSense 2 (then to the branch network). There is outbound NAT for each branch behind Ubiqiti. Branch does not communicate without it with my datacenter.

My conclusion is when printing is going through the new pfSense 2, then printing is unreliable. But why?

Cool_Corona

@aldomoro

How odd this may seem, try to limit the number of letters in the local pc name to less than 15.....

We had the same issues with other hardware. When we used 14 letters or less then it worked like a charm.

aldomoro

@cool_corona Our computers are called NO123 or with another number

aldomoro

It seems I have found the root cause thanks to a guy from Spiceworks. It is connected to asymmetric routing which is created when communication from branch to print server goes via pfSense 2, but communication from print server to branch goes via both my pfSense. It means the path is not same and TCP connection can have problem with this.

More info is here
https://networkguy.de/the-problems-with-asynchronous-routing/
https://docs.netgate.com/pfsense/en/latest/troubleshooting/asymmetric-routing.html