Firewall rule for network printers in a different VLAN
-
We have several VLANs configured with pfSense.
VLAN 104 has a network printer (192.168.104.2), and I want people in different VLANs can print from there.
They can see the web interface of the printer (https://192.168.104.2), but it does not print. The error is the printer status is not available.
I am wondering if my firewall rule is incorrect.
Attached is the firewall rule for VLAN 104.
Could you please advise me to make it work?
Thank you very much.
-
You don't need firewall rules on the destination network. You have to allow the traffic on the source network, towards 192.168.104.2
-
If so, I do not understand VLANs and routing correctly. May I know where should I look in pfSense?
-
You meant to say you don't understand firewalls.. Pfsense rules are INBOUND to the interface.. Not outbound.. Juniper is like this, Checkpoint is like this, Cisco is like this – While it is possible to do both depending on your product. Firewall rules are looked at is INBOUND to the interface -- does the firewall want to allow the traffic "through" Think of it as stop light. Is it red or green.. Do you get to the other side of the street before you look at the light?
So you have 2 network segments - lets call them vlan100 and vlan200.. So in pfsense you have 2 interfaces, vlan100 and vlan200 with firewall tabs.
If client on vlan100 wants to talk to vlan200 what is the path the traffic takes? It leaves the client nic, then inbound to pfsense vlan100 nic, and then outbound vlan200 nic on pfsense to the device on vlan200 (lets call it a printer)
So where is the firewall rule placed?? Why would you put it on vlan200, that means traffic has already gone into pfsense, pfsense had to process the traffic, route it to vlan200 inteface just to figure out hey.. No your not allowed to go there?
You put the rule on the interface that will first see the traffic.. So when it leaves vlan100 client nic and hits pfsense vlan100 nic -- this is when pfsense determines hey should I allow that traffic or not. So this is where you put the rule.
So on your source vlan that wants to talk to the printer on vlan104 you allow the traffic to go to its IP on the protocols you want. Since pfsense is stateful it will allow the return traffic.
-
Thank you very much. Now I know that I did not understand anything about firewall on pfSense.
I got a bit confused about it. This is what I want to allow the access.
Client computer –> VLAN102 ---> VLAN104 --> Printer
Based on the explanation about where I should put the firewall rule, I added a new rule on VLAN102 firewall.
But I realized that there was already a rule to allow access from VLAN102 subnet to any. It was a basic rule to allow clients in VLAN102 to access to Internet. (Is it wrong? Was I supposed to make a rule from VLAN102 subnet to WAN?)
Added a new rule to allow access from VLAN102 subnet to printer's IP. But above rule seems to cover it.
Could you advise me the best rules for VLAN102 members so they can surf Internet and use the printer in VLAN104?
Thank you.
-
What version of pfsense are you running? Curious with that drop down for the firewall tab.
You got something else wrong its not your firewall rules your 2 top rules are any any - your 2 vlans should be able to do what ever they want to each other.
Does your printer have a gateway set – I see this quite often in printers when you can not hit them from another segment.
