Printer/Scanner
-
I was attempting to set up my printer/scanner on its own virtual interface to lock it down from internet access etc. In doing so, I ran into two issues:
-
I came to find out network discovery will not work across the interfaces (from what I was able to gather). Bummed about that as it would be helpful for my wife who is used to seeing a printer listed. I was able to make a static connection to it from my windows computers and print successfully. I have not tried to print to it from the ipads yet, but will look to do so. Is there something I may be missing to get network discovery to work? It didn't look like it was showing any blocks in the firewall logs to me and I had PASS any any in the beginning (from Net interface and Printer interface) just to make sure it could get thru.
-
I attempted to go the other direction and set my LAN windows machine to be able to scan from the printer. The one place you have (that I am aware of) to specify a scanner IP address did not allow the scanner to be found. Going from the printer scan app, it does not give you any option to see a difference subnet, so I was stuck in the water there. I then attempted to put in on the same interface as my LAN workstation to eliminate that variable, but it still did not seem to find it (even when specifying IP in scanner properties. Is there something I am missing in getting the scanner to work, or is this functionality not possible (it is a Brother printer if that makes a difference).
-
-
Discovery, which relies on broadcasts or multicasts, generally won't work between networks. Routers can be configured to pass multicast, but broadcasts shouldn't be passed.
What happens if you manually specify the address?
-
If the discovery protocol uses mDNS you can install the Avahi package to act as an mDNS repeater between the network segments.
-
@3dogs said in Printer/Scanner:
lock it down from internet access
If your just wanting to block this device from talking to internet. You sure do not need to put it on own network segment for that. That is a simple firewall rule to just block its IP.
This would allow for your local multicast/broadcast discovery of the printer to still function.
Another simple no brainer way to prevent such devices from talking to the internet - is just setup their IP static and not put in a gateway. Or just via dhcp hand them an invalid gateway, say 127.0.0.1
-
@jknott said in Printer/Scanner:
Discovery, which relies on broadcasts or multicasts, generally won't work between networks. Routers can be configured to pass multicast, but broadcasts shouldn't be passed.
What happens if you manually specify the address?
it (windows) attempts to search for it, but comes up not found
-
@kpa said in Printer/Scanner:
If the discovery protocol uses mDNS you can install the Avahi package to act as an mDNS repeater between the network segments.
hmm interesting. I am not sure if it uses mDNS.. I would need to do some research, but this has potential. Is there any downside to installing Avahi? Am I able to just specify that the printer on one interface is able to be 'discovered' but nothing else?
-
@johnpoz said in Printer/Scanner:
@3dogs said in Printer/Scanner:
lock it down from internet access
If your just wanting to block this device from talking to internet. You sure do not need to put it on own network segment for that. That is a simple firewall rule to just block its IP.
This would allow for your local multicast/broadcast discovery of the printer to still function.
Another simple no brainer way to prevent such devices from talking to the internet - is just setup their IP static and not put in a gateway. Or just via dhcp hand them an invalid gateway, say 127.0.0.1
Well, it wasn't the only reason.. was trying to put on own interface to also keep it from being compromised and then having access to things it shouldn't.... but I did want to scan and print from my other networked workstations.
your second point is what I tried to do when I attempted to put it on the same network interface as my workstation... but it still wasn't able to make the necessary connection. It did for Print (with static IP), but not for Scan.
-
If the device is on the same network as device printing or scanning from it - the printer/scanner would have zero need of gateway. it would never be used even.
So unless the scanning function needs to access something off the local network to function it wouldn't need a gateway.
How exactly is it going to get compromise if no internet access? By something on your local network? if so seems you have bigger problems ;)
Are you trying to use airprint - if so then yes that is mdns based.
-
@3dogs said in Printer/Scanner:
it (windows) attempts to search for it, but comes up not found
A bit of a problem there then. I've often connected to printers by specifying the address.