Accessing a printer from another VLAN

louis2

I just replaced my printer with a Brother MFC-J5340DWE.

That printer is in another VLAN than e.g. my (Windows11) PC. Where I had no problem to print or access the printer GUI, with my previous HP-printer, It does not work with the Brother one.

Despite a lot of research I do not know why

Situation is as follows. The new printer has an active state and a sleep state. A few minutes after being active (adjustable) the printer goes to sleep. A print job or GUI-access should wake up the printer, however for some vague reason, the printer only becomes active, if accessed from a local (same vlan) PC.

If the printer is in state ^active^, then accessing and printing from other vlans is no problem, but only then

Of course I configured pfSense to pass all printer packages between PC and printer.

So I have a very vague feeling that something like missing multicast could be the reason for this strange behavoir. But as said I simply do not understand the problem.

I sincerely hope someone knows what is wrong and knows how to solve it.

A printer which can not be reached for printing ......... Is almost ready for the trashcan

So sincerely hope for help!

Gertjan

@louis2

Check if the printer accepts connections from outside it's own LAN.
For security reasons, this could be the case.

On the pfSense side of things : check if packets send to your printer from 'the other' LAN arrive at the LAN interface. Use Diagnostics-> Packet Capture :

Select your LAN interface and type in de IP of the printer.
And hit Start.
Now, from the device, other LAN, connect to the printer.
The packet capturing should start to log lines.

Btw : I know it works, as I don't have a "MFC-J5340DWE", but I do have a collection of rather recent Brother printers, and I can print just fine on them while I'm on my 192.168.2.x network while the printers live on my LAN, 192.168.1.y.

louis2

@Gertjan

Yep that is what you expect. And I have made a lot of wireshark traces. Using my WIndows (11 pro) PC another PC in the printer LAN. I could of course also use Packet capture. That has one advantage ......

I noticed that it is more likely that I can print from the second vlan if the PC in the first vlan (the printer vlan) is active, but not printing. Which is strange ....

In order to make sure that all packages are passing via the firewall I did even add two floating rules

Since the Brother printers can be 'powered' via a classical TCP/IP driver and via a Microsoft IPP - driver, I installed and tested with both. Same result.

For info part of one of the many captures and pfSense logging's I made

Louis

Not working

PC on local lan (working)

Also note that

• I am using printer firmware version 1.14
• auto turn off = off
• sleep timer on 5 minutes
• the printer ping times are incredibly bad! (especially with higher LAN-speeds)
• I lowered the printer LAN speed to 10 Mbit half duplex (!!), since wireshark traces did show lots of repeated packages at higher rates
  (absolutely not ok, but it is not the problem)
• I forward printer syslog to my graylog server, but did not yet see strange things (I hardly see any thing in fact)

louis2

@louis2

I sometimes have the verdict that my windows PC is not sending data because it assumes that the destination (the printer) is not avaialable

Capture on the windpws PC

Capture on pfSense related to the Printer-LAN

louis2

@louis2

I did another experiment. I virtually placed the PC-lan PC in another VLAN.

Than I saw

Strange thing is that the printer ICMP-message can not reach the PC-where I did the capture ....
(printer = 192.168.1.18; PC =192.168.3.128)
And I did turn the windows firewall off before this test!

Note that after seeing that I just turned off Avahi which I did install this afternoon. But Avahi did not solve any thing. I just removed it

The destination port is 161 (SNMP) a feature which is not standard for windows 10/11 PC-versions. My Be a clue

louis2

@louis2

I turned of SNMP in the printer settings. That did not change the ^not^ printing behavoir. However perhaps ... it helped accessing the printer GUI. Need to test more to be sure

Gertjan

@louis2

Can you eliminate the V in your VLAN ?

I'm doing like you : "Accessing a printer from another LAN" : remark the absence of the "V" here.
It's simple to set up, never had to packet capture or having any of the issues you've shown.

As mentioned above, I have a pfSense 192.168.1.0/24 LAN with a couple of brother, and other, printers.
I have a second LAN, 192.168.2.0.24, a captive portal, where I added this rule :

The first rule blocks most ports - 21,22,25,80, etc etc on the printers.
The second rules allows access to these printers.
The alias 'Printers' contains the IPv4 of my 4 printers.

I use Avahi to 'expose' the printers on my captive portal LAN. Avahi is not optional as this tool enables discovering of devices present on LAN (my main LAN) from LAN (my captive portal).

From this point on, most recent phones and other BJOD connected on the captive portal LAN can 'find' the printers, and print.
I'm not sure if a 'Windows' device, visiting/using my captive the portal can find/detect my LAN based printers. As Windows (and other) laptops needs "drivers" and all that, I find this less important.
But if the laptop had the correct driver, its a question off entering the right IP, and it will connect and work.

The printers are pretty default. No 'smnp' or something like that.

louis2

@Gertjan

It could be that I have partly solved the problem

• I did install Avahi, note that IMHO that should not be necessary (if the IP is known, what it is)
  Allowing IPV4 and IPV6 and mDNS I also allowed mdns in the FW-rules
• I did removed the installed BrotherPrinter(s) (IPP & TCP)
• I noticed that the printer its IPV6 ping times where much (!!) better and consistent that the ipv4 pings
• I did ^manually^ install the printer again using the printers IPV6-address and the IPP driver version
  Now it seems that printing is working

However, I still can not access the printer its gui from an other LAN if the printer is a sleep
Accessing the printers gui is not possible at all.

Since the whole setup does not feel "solid / controlled^ I hope that this solved the printing issue.
For sure it does not solve the GUI-access problem, however that is less relevant.

PS

• You are correct saying that this problem is there independend from the fact it the LAN is a LAN or a VLAN (all my LAN's are VLAN's)
• normally I whould have prefered IPV4 for the printer, but my computers etc do all support IPV6
• I also would have used the Brother TCP-driver and not the Microsoft IPP driver, but I can live with that

Gertjan

@louis2

You can probably stop looking.
I can access the GUI of my big color printer scanner just fine, but the two brothers : no go.
Looks like their gui is only accessible from their local LAN.

louis2

@Gertjan

I removed the Microsoft IPP-driver and installed the printer with the Brother TCP driver. To do that SNMP must be activated in the printer config (v2/v3 I used). Without SNMP the printer is not detected.

The Brother driver has more options and the print quality is a bit better. That does not take away that I did change the printer quality from standard to high. And even with that setting I am a bit disappointed in regard with the print quality. The HP-printer I had before .. was better.
bit better. That does not take away that I did change the printer qualliy from standard to high. And even with that setting I am a bit dissapointed in regard with the print quallity. The HP-printer I had before .. was better.

the other

@Gertjan
Hey there,
I am possibly wrong and not hitting the problem...
BUT :) I have my brother MFC-J5340DW in VLAN 30, my pc is in VLAN10, Tablet in VLAN 20...
Both clients can reach brother's GUI, can log in, can print and scan...
So...hmmm. Strange?
Just added rules in pfsense to reach brother.
Printing....check
Scanning...check
GUI...check

I do not get it, why it wouldn't work for you or louis2. Just wanted to state, that GUI is available from another subnet here.
Sorry for any inconvenience my post may rise...

Gertjan

@the-other said in Accessing a printer from another VLAN:

that GUI is available from another subnet here

It's not an issue for me, that the GUI isn't available for 'them', as they are captive portal visitors, a,d I don't want them to 'admin' my printers anyway GUI is tehre for me, and my trusted devices are all in the same LAN anyway.
Because that's what the GUI is all about ; setting up printer parameters etc. You don't need the GUI access to print.
heck, most printer owners don't even know that their printer has web GUI ...

I made my printers available for a reason : I use the captive portal in a hotel, and my clients have stuff to print, like a plane ticket, or something like that. I can now say to them : "if you are connected to the hotel wifi, just tap on your screen the word Print ... and select any printer you find - for example the one called 'Printer in the Hotel Reception' ." Way often, they are surprised that they can print with their phone / pad ... no driver to install, no hassle, it just plain works ** ... the client is happy, and I don't loose any time with them.

** : that is, Apple devices : printing always work. Android based devices ... far less. Microsoft devices : I'm not sure. Windows can detect printers and other devices on the same network, As far as I know, Windows doesn't make use of what Avahi makes 'visible' to them (shows the existence of devices elsewhere) but as these devices are on another network, things start to be complicated. Although a PC could reach out to the device, check out the GUID, so it knows what driver it needs, etc .... but no ... Microsoft is still locked into the ancient Network Neighborhood mentality.

@the-other said in Accessing a printer from another VLAN:

Just added rules in pfsense to reach brother.

Did that : see above.....
But I retried it again ....
And and - or and : it worked ! Mayday ... firewall to the rescue :

First rule : typical web TCP traffic (alias ports called "MostbasicPorts") is now blocked.
The second rules gives them access ....

Thanks for having me re checked this. My brothers GUIs were actually accessible from other networks ...

the other

@Gertjan
Yeah, I hear you with other users not administrating your printer(s). Same here (although it is only me and my son here). Yes I love my child, no I will not give him admin rights for the printer...

I wanted exactly that: our mobile devices in their different vlans can print. GUI for my tablet was just for trying it (reading this post). Scans work in different vlans from brother, even scanning with paperless ngx is working. I am happy!
So 100 % with you on that one ;)

louis2

@the-other

I checked gui access again. In my experience

• the gui is not accessable from the other lans, unless the printer is in active mode
• I never managed to get gui access via IPV6
• I am using the printers IPV6-address for the installed Brother TCP-driver, since the printer seems to react much faster to IPV6
  (and all my devices using the printer can handle ipv6)
• I did not test the scanner yet. For me less intresting since I also have a flatbed scanner next to my computer
• That the gui is not accessable via another lan, is not like it should be, but not dramatic

Gertjan

@louis2 said in Accessing a printer from another VLAN:

the gui is not accessable from the other lans, unless the printer is in active mode

If it sleeping, the GUI server part is shut down ?

@louis2 said in Accessing a printer from another VLAN:

never managed to get gui access via IPV6

My 5100 doesn't support DHCP6, only a rudimentary Ipv6 static setup, I had to set up manually an IPv6 :

and I had to create an IPv6 host override (bottom part of the resolver).

Now, when I visit "https://brother-hotel....... my browser accesses the printer GUI using IPv6.

the other

@Gertjan
hey there,
same here: put printer's IPv6 (here I use ULA instead of GUA) in unbound's host override. I can reach my printer now via IPv4 and IPv6 (ULA) from subnets. Using SLAAC, since my ISP is giving out dynamic v6 prefixes.
Works fine for me, used those IPs (v4 and v6-ULA plus FQDN) in brother printer's certificate for ssl (thanx to pfsense's cert manager easily done).
Surprisingly, my printer's GUI is reachable even when the device is asleep (energy saving mode)...

louis2

@the-other

Sorry, GUI via IPV6 is working! Even better ín opposite to IPV4 it always works even if the printer is 'a sleep'.
Since I use fixed addresses for all my equipment, I did set-up the IPV6-address via the printer GUI.
In general IPV6 seems to work significant better than IPV4.

So its all working now.
I found and downloaded the manual. Much more info that in the online manual. Not so easy to find that download, since it is not an item in the download menu. I found it someway via the online helpmenu.
There are a lot of options, I will probably never use

I just do not like that:

• it is possible to change some settings via the panel without any form of autorisation, e.g. you can change the IP-address ....
• less sevire, as far as I know I can not limit gui access based on IPV6 address. However than there is password protection

Gertjan

@Gertjan said in Accessing a printer from another VLAN:

far less. Microsoft devices : I'm not sure. Windows can detect printers and other devices on the same network, As far as I know, Windows doesn't make use of what Avahi makes 'visible' to them (shows the existence of devices elsewhere) but as these devices are on another network, things start to be complicated. Although a PC could reach out to the device, check out the GUID, so it knows what driver it needs, etc .... but no ... Microsoft is still locked into the ancient Network Neighborhood mentality

Well, I have to take my words back I was wrong.
I brought with me my windows pro 11 laptop, and connected the wifi to my captive portal network.
All went well, I was presented immediately with a login page, and I could connect.

As windows doesn't 'know' (recognized) the network, the network was defined as the default, save public mode. This means that my laptop will not see/use/access any local resources except the gateway. This is enough for a working Internet connection.

I switched to "trusted".

Then : Settings -> Bluetooth and Devices -> Printers and scanners and hit "Add a device".
After several seconds, it started to list all my brother printers and the big Ricoh copy color scanner printer. All these devices are on my LAN, and my laptop was connected to another LAN, my OPT1 or captive portal network.

So, I have to take back my words : Windows 11 (pro, if that matters) works just fine, it can see and use printer on other networks. IMHO : It must be using the announcements that Avahi makes on my portal network.

NightlyShark

@louis2 It's not that it works better, just that most firmware these days gets confused in dual-stack mode, especially during reduced power CPU states. I have setup HAProxy in TCP mode to act as a mediator for both IPv4 and IPv6 addresses of my printers. This opens up a lot more possibilities (as far as authentication and authorization for printing goes) through the use of an SSO, such as authelia.

NightlyShark

@Gertjan Both things are true. Yes, Win11 works just fine, but also MS has made a mess with all windows config that is not likely do be resolved until they completely move away from the old control panel and consolidate all GP options to have counterparts in the Settings app. They are caught between the need to move on (completely) to the new way of doing things (general DNS and native TCP/IP solutions for everything) and the need to support those clients that, while they upgraded their server and desktop Windows to a new version, their setup is unchanged (or at least, its topology is) from the one they had in the Windows Server 2003 days...
I ranted all that, because the option to choose the location for a network (or options that essentially do the same thing) exists in at least 5 different places in the OS. Registry, netsh powershell, GPEdit, control panel, settings... All methods of configuring a setting should be about the same setting (eg, in registry). That is currently not the case.