Printer on Separate VLAN Issue

Gertjan

@stevencavanagh said in Printer on Separate VLAN Issue:

The pfblocker logs appear to be all empty!

What log ?

Goto this page :

and hit Ctrl-F, type in the IP LAN of the printer, and see what pops up.

Also check the "Unified" log, look under "SRC".

@Popolou said in Printer on Separate VLAN Issue:

squid, squidGuard,

Now all bets are off .... you just opened up a whole swimming pool full of potential issues

stevencavanagh

@Gertjan

Checked logs as described and nothing at all with the printer ip address

the other

@stevencavanagh
well, tried to disable snort and co for a test to be sure THAT is not interfering?
Are (after that change from Vlan IoT to Vlan Printer) the printer's DNS settings okay? In case DNS info is not sent by dhcp...

stevencavanagh

@the-other

DNS settings seem fine.........

Popolou

@stevencavanagh If the printer is set to DHCP but it is getting those DNS, you got other more fundamental problems to investigate tbh.

stevencavanagh

@Popolou

Such as?

Gertjan

@stevencavanagh said in Printer on Separate VLAN Issue:

DNS settings seem fine.........

No, your handing over all DNS request to "who ever" and not to pfSense (by default 192.168.1.1 - no second DNS needed). All DNS traffic from the printer totally bypasses pfSense.

If you have to give 8.8.8.8 or 1.1.1.1 your DNS requests by contract (they pay you for that info ?) then ok, you do you.
Normally, DNS should be set up per DHCP info received, so DNS is 192.168.1.1 (pfSense LAN IP by default, or whatever you've set up)

You can leave all DNS fields empty (and not 0.0.0.0 !)

Test also with "Enable Auto IP" not checked.

stevencavanagh

@Gertjan

So had a quick look at how the DHCP server is currently set up and changed it so it uses DNS resolver and the DHCP server now shows the server options as blank (DNS Server 1 now has the gateway in automatically ie. 192.168.0.1) for the LAN. I assume this is now correct?

Gertjan

@stevencavanagh

If 192.168.0.1 is your pfSense LAN IP, then, IMHO,

stevencavanagh

@Gertjan

Yes it is, so will update the VLANs accordingly and then try the other things you suggested ie. Not auto ip etc and see what happens.

stevencavanagh

@Gertjan

Didn't seem to make any difference unticking "enable Auto IP" unfortunately.

stevencavanagh

Just in case anyone else ends up in the same place as me..............

I managed to solve the issue and found there was no access to the internet on the PRINTERS VLAN, despite having the firewall rules allowing it!

Eventually I stumbled upon the Firewall NAT Outbound rules, which was populated with 2 rules per VLAN (had been done automatically, presumably when setting up the VLANs).

These rules did not exist for the PRINTERS VLAN. Added these rules manually and all sprung into life!

What I cannot understand is why these had not been created in the first place!! The outbound NAT mode was showing 'manual outbound NAT rule generation'.

Thought this would have been set to Auto??

Never mind, all working now but at least I've picked up some extra knowledge. Thanks to everyone for helping me sort this out, it is greatly appreciated.

Steve