Accessing a printer from another VLAN

Gertjan

Can you eliminate the V in your VLAN ?

I'm doing like you : "Accessing a printer from another LAN" : remark the absence of the "V" here.
It's simple to set up, never had to packet capture or having any of the issues you've shown.

As mentioned above, I have a pfSense 192.168.1.0/24 LAN with a couple of brother, and other, printers.
I have a second LAN, 192.168.2.0.24, a captive portal, where I added this rule :

The first rule blocks most ports - 21,22,25,80, etc etc on the printers.
The second rules allows access to these printers.
The alias 'Printers' contains the IPv4 of my 4 printers.

I use Avahi to 'expose' the printers on my captive portal LAN. Avahi is not optional as this tool enables discovering of devices present on LAN (my main LAN) from LAN (my captive portal).

From this point on, most recent phones and other BJOD connected on the captive portal LAN can 'find' the printers, and print.
I'm not sure if a 'Windows' device, visiting/using my captive the portal can find/detect my LAN based printers. As Windows (and other) laptops needs "drivers" and all that, I find this less important.
But if the laptop had the correct driver, its a question off entering the right IP, and it will connect and work.

The printers are pretty default. No 'smnp' or something like that.

louis2

@Gertjan

It could be that I have partly solved the problem

I did install Avahi, note that IMHO that should not be necessary (if the IP is known, what it is)
Allowing IPV4 and IPV6 and mDNS I also allowed mdns in the FW-rules
I did removed the installed BrotherPrinter(s) (IPP & TCP)
I noticed that the printer its IPV6 ping times where much (!!) better and consistent that the ipv4 pings
I did ^manually^ install the printer again using the printers IPV6-address and the IPP driver version
Now it seems that printing is working

However, I still can not access the printer its gui from an other LAN if the printer is a sleep
Accessing the printers gui is not possible at all.

Since the whole setup does not feel "solid / controlled^ I hope that this solved the printing issue.
For sure it does not solve the GUI-access problem, however that is less relevant.

PS

You are correct saying that this problem is there independend from the fact it the LAN is a LAN or a VLAN (all my LAN's are VLAN's)
normally I whould have prefered IPV4 for the printer, but my computers etc do all support IPV6
I also would have used the Brother TCP-driver and not the Microsoft IPP driver, but I can live with that

Gertjan

@louis2

You can probably stop looking.
I can access the GUI of my big color printer scanner just fine, but the two brothers : no go.
Looks like their gui is only accessible from their local LAN.

louis2

@Gertjan

I removed the Microsoft IPP-driver and installed the printer with the Brother TCP driver. To do that SNMP must be activated in the printer config (v2/v3 I used). Without SNMP the printer is not detected.

The Brother driver has more options and the print quality is a bit better. That does not take away that I did change the printer quality from standard to high. And even with that setting I am a bit disappointed in regard with the print quality. The HP-printer I had before .. was better.
bit better. That does not take away that I did change the printer qualliy from standard to high. And even with that setting I am a bit dissapointed in regard with the print quallity. The HP-printer I had before .. was better.

the other

@Gertjan
Hey there,
I am possibly wrong and not hitting the problem...
BUT :) I have my brother MFC-J5340DW in VLAN 30, my pc is in VLAN10, Tablet in VLAN 20...
Both clients can reach brother's GUI, can log in, can print and scan...
So...hmmm. Strange?
Just added rules in pfsense to reach brother.
Printing....check
Scanning...check
GUI...check

I do not get it, why it wouldn't work for you or louis2. Just wanted to state, that GUI is available from another subnet here.
Sorry for any inconvenience my post may rise...

Gertjan

@the-other said in Accessing a printer from another VLAN:

that GUI is available from another subnet here

It's not an issue for me, that the GUI isn't available for 'them', as they are captive portal visitors, a,d I don't want them to 'admin' my printers anyway GUI is tehre for me, and my trusted devices are all in the same LAN anyway.
Because that's what the GUI is all about ; setting up printer parameters etc. You don't need the GUI access to print.
heck, most printer owners don't even know that their printer has web GUI ...

I made my printers available for a reason : I use the captive portal in a hotel, and my clients have stuff to print, like a plane ticket, or something like that. I can now say to them : "if you are connected to the hotel wifi, just tap on your screen the word Print ... and select any printer you find - for example the one called 'Printer in the Hotel Reception' ." Way often, they are surprised that they can print with their phone / pad ... no driver to install, no hassle, it just plain works ** ... the client is happy, and I don't loose any time with them.

** : that is, Apple devices : printing always work. Android based devices ... far less. Microsoft devices : I'm not sure. Windows can detect printers and other devices on the same network, As far as I know, Windows doesn't make use of what Avahi makes 'visible' to them (shows the existence of devices elsewhere) but as these devices are on another network, things start to be complicated. Although a PC could reach out to the device, check out the GUID, so it knows what driver it needs, etc .... but no ... Microsoft is still locked into the ancient Network Neighborhood mentality.

@the-other said in Accessing a printer from another VLAN:

Just added rules in pfsense to reach brother.

Did that : see above.....
But I retried it again ....
And and - or and : it worked ! Mayday ... firewall to the rescue :

First rule : typical web TCP traffic (alias ports called "MostbasicPorts") is now blocked.
The second rules gives them access ....

Thanks for having me re checked this. My brothers GUIs were actually accessible from other networks ...

the other

@Gertjan
Yeah, I hear you with other users not administrating your printer(s). Same here (although it is only me and my son here). Yes I love my child, no I will not give him admin rights for the printer...

I wanted exactly that: our mobile devices in their different vlans can print. GUI for my tablet was just for trying it (reading this post). Scans work in different vlans from brother, even scanning with paperless ngx is working. I am happy!
So 100 % with you on that one ;)

louis2

@the-other

I checked gui access again. In my experience

the gui is not accessable from the other lans, unless the printer is in active mode
I never managed to get gui access via IPV6
I am using the printers IPV6-address for the installed Brother TCP-driver, since the printer seems to react much faster to IPV6
(and all my devices using the printer can handle ipv6)
I did not test the scanner yet. For me less intresting since I also have a flatbed scanner next to my computer
That the gui is not accessable via another lan, is not like it should be, but not dramatic

Gertjan

@louis2 said in Accessing a printer from another VLAN:

the gui is not accessable from the other lans, unless the printer is in active mode

If it sleeping, the GUI server part is shut down ?

@louis2 said in Accessing a printer from another VLAN:

never managed to get gui access via IPV6

My 5100 doesn't support DHCP6, only a rudimentary Ipv6 static setup, I had to set up manually an IPv6 :

and I had to create an IPv6 host override (bottom part of the resolver).

Now, when I visit "https://brother-hotel....... my browser accesses the printer GUI using IPv6.

the other

@Gertjan
hey there,
same here: put printer's IPv6 (here I use ULA instead of GUA) in unbound's host override. I can reach my printer now via IPv4 and IPv6 (ULA) from subnets. Using SLAAC, since my ISP is giving out dynamic v6 prefixes.
Works fine for me, used those IPs (v4 and v6-ULA plus FQDN) in brother printer's certificate for ssl (thanx to pfsense's cert manager easily done).
Surprisingly, my printer's GUI is reachable even when the device is asleep (energy saving mode)...

louis2

@the-other

Sorry, GUI via IPV6 is working! Even better ín opposite to IPV4 it always works even if the printer is 'a sleep'.
Since I use fixed addresses for all my equipment, I did set-up the IPV6-address via the printer GUI.
In general IPV6 seems to work significant better than IPV4.

So its all working now.
I found and downloaded the manual. Much more info that in the online manual. Not so easy to find that download, since it is not an item in the download menu. I found it someway via the online helpmenu.
There are a lot of options, I will probably never use

I just do not like that:

it is possible to change some settings via the panel without any form of autorisation, e.g. you can change the IP-address ....
less sevire, as far as I know I can not limit gui access based on IPV6 address. However than there is password protection

Gertjan

@Gertjan said in Accessing a printer from another VLAN:

far less. Microsoft devices : I'm not sure. Windows can detect printers and other devices on the same network, As far as I know, Windows doesn't make use of what Avahi makes 'visible' to them (shows the existence of devices elsewhere) but as these devices are on another network, things start to be complicated. Although a PC could reach out to the device, check out the GUID, so it knows what driver it needs, etc .... but no ... Microsoft is still locked into the ancient Network Neighborhood mentality

Well, I have to take my words back I was wrong.
I brought with me my windows pro 11 laptop, and connected the wifi to my captive portal network.
All went well, I was presented immediately with a login page, and I could connect.

As windows doesn't 'know' (recognized) the network, the network was defined as the default, save public mode. This means that my laptop will not see/use/access any local resources except the gateway. This is enough for a working Internet connection.

I switched to "trusted".

Then : Settings -> Bluetooth and Devices -> Printers and scanners and hit "Add a device".
After several seconds, it started to list all my brother printers and the big Ricoh copy color scanner printer. All these devices are on my LAN, and my laptop was connected to another LAN, my OPT1 or captive portal network.

So, I have to take back my words : Windows 11 (pro, if that matters) works just fine, it can see and use printer on other networks. IMHO : It must be using the announcements that Avahi makes on my portal network.

NightlyShark

@louis2 It's not that it works better, just that most firmware these days gets confused in dual-stack mode, especially during reduced power CPU states. I have setup HAProxy in TCP mode to act as a mediator for both IPv4 and IPv6 addresses of my printers. This opens up a lot more possibilities (as far as authentication and authorization for printing goes) through the use of an SSO, such as authelia.

NightlyShark

@Gertjan Both things are true. Yes, Win11 works just fine, but also MS has made a mess with all windows config that is not likely do be resolved until they completely move away from the old control panel and consolidate all GP options to have counterparts in the Settings app. They are caught between the need to move on (completely) to the new way of doing things (general DNS and native TCP/IP solutions for everything) and the need to support those clients that, while they upgraded their server and desktop Windows to a new version, their setup is unchanged (or at least, its topology is) from the one they had in the Windows Server 2003 days...
I ranted all that, because the option to choose the location for a network (or options that essentially do the same thing) exists in at least 5 different places in the OS. Registry, netsh powershell, GPEdit, control panel, settings... All methods of configuring a setting should be about the same setting (eg, in registry). That is currently not the case.

louis2

@NightlyShark

I completely agree with the windows11 config mess. In windows 7 and 10 it was simple / logical now things should be configured. Windows 11 shit IMHO.
I strogly prefer ^the old^ condiguration screen!

NightlyShark

@louis2 Man, I dream sometimes that all that "new age" (in reality we are too lazy and cheap and fired all old devs or drove them out) crap would go away, and Windows would have the Vista UI, with that Aero Glass, and through the years the OS would have gotten thinner and lighter, and with today's hardware... That would be AWESOME! But... the new design team likes the almost minecraft style UI they made in 2 days and called it a day. For shame.

NightlyShark

@louis2 "Oh, isn't it nice, dear, that you can have 2105549 different ways to change 45032432452345 configuration variables for the same exact thing? Should we create, besides settings, an old control panel, a new control panel and a "did you just assume my age?" control panel? Isn't it nice that we have 96% of our devs (windows team) find ways to make money of the user's data and metadata and blast them with ads or sponsored content from every direction? Aren't we serious and good at our jobs, and show that we take things seriously, when the differences from one major upgrade to the next are a few more ways to align the start button and some changes to the color of the icons? Also, wait for Windows 123 in order to have taskbar toolbars again?" BARF

NightlyShark

@louis2 I say, the right time for Windows Vista is now. It's almost the same kernel. Remove GPOs, rewrite/patch the NT kernel (without telemetry), optimize the Aero Glass UI for new HW, slap a one time fee of 500$ for 10 years (I would happily pay that), su and take my money.

NightlyShark

@ myself Hahaha, for whomever didn't realize it, this is what an unnecessary rant looks like. Let it serve as an example of what NOT to do in this forum. Please, read the forum rules.