Printer and firewall rules - best practise

netboy

@steveits Interesting....not sure internet was required. This makes me decide to keep printers in IoT and let them access the internet...it is isolated and can be accessed from my PvT subnet. I believe this is the easiest solution for newbie like me unless somebody tells me this is a bad idea

johnpoz

@netboy said in Printer and firewall rules - best practise:

it is isolated and can be accessed from my PvT subnet.

A common problem users run into when putting their printers in a different network than their client trying to print is stuff like airprint will not work out of the box... Because discovery doesn't work. You would have to do some stuff with like avahi to allow discovery to work.

If your client is like a pc that can put in a ip or fqdn for the printer then not an issue, but clients like phones or tablets that rely on discovery (airprint as example) your prob going to have issue discovering the printer to print to it when its in a different vlan/network regardless of your firewall rules.

I just put my printer in my vlan that my tablets and iphones use, its just easier that way. My pc can print to it no problem from a different vlan. And I am not a fan of breaking L2 boundaries.

netboy

@johnpoz Nice to know about air print. However I am setting up this for my home and ALL my cell phones / tablets etc. will connected thru AP - IoT network.

johnpoz

@netboy said in Printer and firewall rules - best practise:

will connected thru AP - IoT network.

Then your good.. And this is a simple solution is put the printer on the same network your wifi devices are on ;)

Gertjan

@johnpoz said in Printer and firewall rules - best practise:

If your client is like a pc that can put in a ip or fqdn for the printer then not an issue, but clients like phones or tablets that rely on discovery (airprint as example) your prob going to have issue discovering the printer to print to it when its in a different vlan/network regardless of your firewall rules.

That is : when the pfSense Avahi package is installed (ans some minimalist setup), you can connect an iPhone on a network (my case) 192.168.2.x/24, and when I ask my iPhone to list available printers, it will list all my network printers on 192.168.1.x/24. These printers do 'Air print' (or whatever) very well.
I've added a pass firewall rule on the 192.168.2.x/24 interface that permit 192.168.2.x/24 devices to connect to the 192.168.2.x/24 printers (I used an alias with the 3 IP addresses).
I said iPhone, because that's what I'm using. I guess the other ones also work just fine.

netboy

@gertjan Simple solution is for iphone to point wireless to the appropriate AP which has the printer. I have 2 AP's from TP Link EAP235-Wall (IoT subnet) & EAP615-Wall (Pvt subnet). I am waiting for my netgate 2100 max to arrive. I used tp link ER605 V2 - Terrible router had to return TWICE. What a joke they did not even test the same and selling it. Hopefully AP's will work - fingers crossed.

Gertjan

@netboy said in Printer and firewall rules - best practise:

appropriate AP which has the printer.

"An AP that has the printer" : how ? You mean : the AP has a USB port, attached to the printer ?
Typically, an AP is a very dumb device with on one side a Ethernet plug, and on the other side a radio device. It is - should be - network L2/3 transparent.

rcoleman-netgate

@gertjan Could be a printer with WiFi... that is fairly common now

Gertjan

@rcoleman-netgate
Ah, ok, seen like that, makes sens now.
Thanks.

netboy

@gertjan One printer wired and one printer wireless