Printer and firewall rules - best practise

rcoleman-netgate

@netboy You have a 2100 - it can do L3 routing. Please see the link I provided. You can use VLANs on the 2100 -- which is a L3 routing device.

rcoleman-netgate

If the printer is on an unmanaged switch you will not be able to block local L2 (subnet) traffic to the printer. Your best bet is to make one port for just the printer. Or locate an inexpensive L2 switch capable of VLANs.

netboy

@rcoleman-netgate Ok got it. Supposing I buy an inexpensive "managed" switch and connect the same to appropriate subnet (PvT) and my printers are connected to this managed switch - How should I configure the "managed" switch to allow specific IP / MAC address of printers to be accessed from IoT?

rcoleman-netgate

@netboy Through your firewall rules - you can put those devices into a static DHCP assignment and put those IPs into aliases and have the rules to allow traffic.

pfSense rules are not run on a MAC address but against an IP address so you will need to isolate the device into IPs that won't change, thus the use of a static assignment.

netboy

@rcoleman-netgate On second thoughts can I have the printers in IoT subnet and access it from PvT subnet? all my problems will be solved since PvT can access IoT and not vice versa?

Gertjan

@netboy said in Printer and firewall rules - best practise:

On second thoughts can I have the printers in IoT subnet and access it from PvT subnet?

You can access your printer just fine, by IP address.
Take note : It won't show up in the Windows "network neighbour" if your PCs are in one network, and the printer in another.

When you put everybody, PC, NAS & Printers in one LAN network, and the IoT stuff on another network, you can access your printer easier, "the GUI way".
Use a DHCP-static lease for your printer, so now it has a 'static' IP on your LAN.
Put a block rule on your LAN firewall that blocks this IP : your printer won't be able to go the the Internet.
Add a pass firewall rule on the IoT network, so IoT device can access the printer on the LAN network.

Are you sure your printer 'visits' hosts on the Internet ?
Ok, it might do some NTP every hour or every day, as you want your printer to have the right time, but you could probably set that up so it uses the NTP service hosted on pfSense.
What else should it do on the Internet ??
I have several network printers, and had a firewall log line for each of them, just to see if they go out, and if so, to who (?) : they never visited the Internet ....
I guess I even wouldn't buy a printer that "goes out" by itself.
It's just a printer .....

Before you ask : no, do have autonomously devices update/upgrade themselves.
It should be done, of course, by you, as the device's admin, as you have to check upfront if the new firmware is ok for you what it will resolve, what it will break, before you upgrade something.
Because it's a networked device, it has a GUI, thus a way to upgrade it. If needed.
Again, its just a printer ....

Btw : it's ok to worry about "what devices do" on your network.
You'll see : 99 % of all heavily suspected traffic can be found on : your PC's and other pad/phone stuff. You should block them all ;)

edit : Ok, I get it : are printers ordering their own toners and cartridges now ??

netboy

@gertjan said in Printer and firewall rules - best practise:

When you put everybody, PC, NAS & Printers in one LAN network, and the IoT stuff on another network, you can access your printer easier, "the GUI way".
Use a DHCP-static lease for your printer, so now it has a 'static' IP on your LAN.
Put a block rule on your LAN firewall that blocks this IP : your printer won't be able to go the the Internet.
Add a pass firewall rule on the IoT network, so IoT device can access the printer on the LAN network.

°When you put everybody, PC, NAS & Printers in one LAN network, and the IoT stuff on another network, you can access your printer easier, "the GUI way".
Use a DHCP-static lease for your printer, so now it has a 'static' IP on your LAN.
Put a block rule on your LAN firewall that blocks this IP : your printer won't be able to go the the Internet.
Add a pass firewall rule on the IoT network, so IoT device can access the printer on the LAN network.°(information text)

I like this......but what is the best practice ... Should the printers be in the private network or IoT network? Or it does not matter?

rcoleman-netgate

@gertjan said in Printer and firewall rules - best practise:

edit : Ok, I get it : are printers ordering their own toners and cartridges now ??

I'm afraid that some of them are, or checking codes on carts to see if they're legit and bricking the system.

SteveITS

@rcoleman-netgate said in Printer and firewall rules - best practise:

or checking codes on carts to see if they're legit and bricking the system

HP has HP+ branded printers that:

1. require you to agree to use only their ink
2. requires the printer be connected to the Internet: "While the printer is disconnected, you might be able to print a limited amount, but eventually the printer stops working. To resume printing, connect the printer to the internet again."
3. work with HP's optional service called "Instant Ink" to automatically purchase and deliver ink/toner

We posted a newsletter article on this recently but not sure if I can link it here.

re: cartridges, I have also read HP may "lock" a specific cartridge to a given printer so it can't be moved.

netboy

@steveits Interesting....not sure internet was required. This makes me decide to keep printers in IoT and let them access the internet...it is isolated and can be accessed from my PvT subnet. I believe this is the easiest solution for newbie like me unless somebody tells me this is a bad idea

johnpoz

@netboy said in Printer and firewall rules - best practise:

it is isolated and can be accessed from my PvT subnet.

A common problem users run into when putting their printers in a different network than their client trying to print is stuff like airprint will not work out of the box... Because discovery doesn't work. You would have to do some stuff with like avahi to allow discovery to work.

If your client is like a pc that can put in a ip or fqdn for the printer then not an issue, but clients like phones or tablets that rely on discovery (airprint as example) your prob going to have issue discovering the printer to print to it when its in a different vlan/network regardless of your firewall rules.

I just put my printer in my vlan that my tablets and iphones use, its just easier that way. My pc can print to it no problem from a different vlan. And I am not a fan of breaking L2 boundaries.

netboy

@johnpoz Nice to know about air print. However I am setting up this for my home and ALL my cell phones / tablets etc. will connected thru AP - IoT network.

johnpoz

@netboy said in Printer and firewall rules - best practise:

will connected thru AP - IoT network.

Then your good.. And this is a simple solution is put the printer on the same network your wifi devices are on ;)

Gertjan

@johnpoz said in Printer and firewall rules - best practise:

If your client is like a pc that can put in a ip or fqdn for the printer then not an issue, but clients like phones or tablets that rely on discovery (airprint as example) your prob going to have issue discovering the printer to print to it when its in a different vlan/network regardless of your firewall rules.

That is : when the pfSense Avahi package is installed (ans some minimalist setup), you can connect an iPhone on a network (my case) 192.168.2.x/24, and when I ask my iPhone to list available printers, it will list all my network printers on 192.168.1.x/24. These printers do 'Air print' (or whatever) very well.
I've added a pass firewall rule on the 192.168.2.x/24 interface that permit 192.168.2.x/24 devices to connect to the 192.168.2.x/24 printers (I used an alias with the 3 IP addresses).
I said iPhone, because that's what I'm using. I guess the other ones also work just fine.

netboy

@gertjan Simple solution is for iphone to point wireless to the appropriate AP which has the printer. I have 2 AP's from TP Link EAP235-Wall (IoT subnet) & EAP615-Wall (Pvt subnet). I am waiting for my netgate 2100 max to arrive. I used tp link ER605 V2 - Terrible router had to return TWICE. What a joke they did not even test the same and selling it. Hopefully AP's will work - fingers crossed.

Gertjan

@netboy said in Printer and firewall rules - best practise:

appropriate AP which has the printer.

"An AP that has the printer" : how ? You mean : the AP has a USB port, attached to the printer ?
Typically, an AP is a very dumb device with on one side a Ethernet plug, and on the other side a radio device. It is - should be - network L2/3 transparent.

rcoleman-netgate

@gertjan Could be a printer with WiFi... that is fairly common now

Gertjan

@rcoleman-netgate
Ah, ok, seen like that, makes sens now.
Thanks.

netboy

@gertjan One printer wired and one printer wireless