Access LAN Printer on GUEST VLAN

newberger

I have set up VLAN for Guest Wifi Access and it appears to be working as expected. I'm new to VLANs and appreciate any assistance.

I want to give guest access to the network printer (assigned a static IP address in pfSense).

Here are my Guest VLAN firewall rules. I can ping the printer from the guest network and access the printer interface (will disable this later), but Windows can't find the printer on the network to setup for printing.

GUEST FIREWALL.jpg

I can provide any additional detail needed on the hardware/software setup as requested.

Rico

AFAIK Windows is using Auto Discovery for printers in the local subnet only.
So you need to enter the printer IP manually when installing the driver.

-Rico

johnpoz

Yeah you will need to tell windows the IP or fqdn of the printer, discovery is only ever L2.. (same network)

newberger

Ok - thank you for the replies, I will setup manually.

johnpoz

You have other options

setup mdns to work across your different L2s - igmp proxy, pimd are 2 options in pfsense that could get this working.
move your printer to that L2 network.. So now your guest can discover it, and you can easy setup your devices on your networks to just print to that IP.

I use 2nd option sort of, my guest network have zero need to print ;) But my wife likes to print from the phone or tablet on our trusted wifi network.. Only our devices can connect to this network since it uses eap-tls to auth.

So the printer sits on this vlan.. So her phone and ipad easy find the printer. My PC, just points to the IP of that printer..

edit: Just thought of 3rd option... Run something on your guest vlan that serves up the printer via discoverable methods.. Say a PI for example.. And have it allowed access to the printer it sharing via IP or fqdn..

newberger

John - thanks, I appreciate the additional options. These are new topics for me, but I can research further.

On option 1, I see that your setup is a lot like mine (except Nest). The only other VLAN I have setup so far is for my IOT devices. Also, the concerns you bring up in that post seem valid.

Option 2 seems easiest. Like your network, we really don't have guests often on the wifi.
(Edit: I am using the Guest wifi for my office laptop as I work-from-home now. I was able to setup the printer with the IP, as you suggested initially)

Option 3: you are saying add an RPi to Guest, connect Pi to printer directly via IP and then share the printer so the guest users can then discover the shared printer? I do have an unused RPi, so could look at this option, also.

johnpoz

If you have your office laptop working already.. Your done I would think - unless you want to explore other options... I am not a fan of passing multicast or even mdns discovery across L2 boundaries... So really wouldn't suggest that - but it is an option to get discovery working..

The best option IMHO is just putting the printer where you need to be able to use discovery feature - if that is your guest vlan, put it there, if its some other vlan put it there... Where discovery would be needed most is prob the best place..

In my case its the trusted wifi vlan.. So I just put the printer on that vlan..

As to option 3, yeah if you want to play around you could put some sort of printer server - that supports whatever discovery methods you want your clients to be able to use.. Say a pi running cups, that just shares out the printer that is on some other vlan.. The cups server will have the printer manually configured on it.

If I had some need to provide printer access to my guest wifi network, that is what I would do.. I would just fire up a vm on that vlan and have it share the printer.. Hmmm wonder if I could do that with a docker off my nas, been meaning to find a reason to fire up a docker connected to a vlan ;)

NOCling

Printing use most tcp/9100 somtimes snmp tcp/161 in addiotion.

pfsense management is only on LAN Net Standard, rule 1 is therefore not necessary, I think you have no hits on it.

I run unbound and allow dns and ntp to firewall for all internal Networks.

newberger

@johnpoz said in Access LAN Printer on GUEST VLAN:

If you have your office laptop working already.. Your done I would think - unless you want to explore other options... I am not a fan of passing multicast or even mdns discovery across L2 boundaries... So really wouldn't suggest that - but it is an option to get discovery working..
The best option IMHO is just putting the printer where you need to be able to use discovery feature - if that is your guest vlan, put it there, if its some other vlan put it there... Where discovery would be needed most is prob the best place..
In my case its the trusted wifi vlan.. So I just put the printer on that vlan..

As to option 3, yeah if you want to play around you could put some sort of printer server - that supports whatever discovery methods you want your clients to be able to use.. Say a pi running cups, that just shares out the printer that is on some other vlan.. The cups server will have the printer manually configured on it.
If I had some need to provide printer access to my guest wifi network, that is what I would do.. I would just fire up a vm on that vlan and have it share the printer.. Hmmm wonder if I could do that with a docker off my nas, been meaning to find a reason to fire up a docker connected to a vlan ;)

Again, thanks for the follow up email. That makes sense on determining the "host" VLAN for the printer. I'll probably leave it as is for now.

Yes, I did read about cups after I posted and it looked like best option if I went down the RPi route. However, funny you mention the NAS. I do have two QNAP NAS and could do the docker/VM. Haha! Perhaps a project for later! :)

johnpoz

Not sure about qnap, but I would think they could do print serving functions - synology does for example

So as long as your nas as an interface in the network your wanting to "share" the printer on via discovery that works.. But not really a good idea to multihome something like your nas..

So a VM or docker would prob be a more secure way of doing it. I just took a quick look at my nas, and I could just add a vlan interface to it, and the print server function would work... But that would expose the whole nas to that vlan.. Not something I would want.. If I was going to do it, I would just expose the vm or docker running print server function to that vlan..

But in the big picture.. Its way less complicated to just put the printer on the vlan you want discovery to work, and just setup connections to the printer from your other vlans via ip or fqdn ;)

Glad you got your office laptop working - feel free to explore the other options... I have multiple vlans running with multiple wifi networks, etc. and devices could use for testing if say airprint works.. So if you run into such a question - just post a question in the general area since that not really pfsense related, and prob find see it and chime in ;)

newberger

@johnpoz

Yes, QNAP has similar functions, but that makes sense on the setup. I think I will stay with the simple (aka, "working") setup! ;) Thanks for all your help, as usual!