Internal Routes to Subnets for Ricoh printer
We have a pfsense router version 2.1.3-RELEASE. Everything works… :)
We patched to the latest version, and 99.9% of everything works except printing to a Ricoh MP 3554 printer on another internally routed subnet... :(. The web interface works, local subnet PCs can print, but any machines on another subnet (including our printer server) can't print to it...
I'm routing on one LAN interface to multiple internal subnets (i.e. Route on a stick).
Has something changed in versions 2.3.2+ that would cause printing protocols to act up? Jobs queue on the server, the printer gets a bit of data then errors out while the print server queue remains. The printer properties timeout within windows, but again the web UI page works 100% on the printer (port 80 naturally) and it's pingable. Maybe it's not the routing as the issue is obviously higher up the network layers...
Any input would be awesome... :(
KOM last edited by
Without any hard details, all anyone can do is guess.
Yea, I know … Was going to go into a lot of detail, but thought I'd start with a light overview.
I'll throw something together illustrating the network.
"I'm routing on one LAN interface to multiple internal subnets (i.e. Route on a stick). "
So your doing this with vlans - or you just running multiple layer 3 over the same layer 2??
As KOM already stated without some details impossible to say what your issue is.. I print from multiple network segments without any issues.
I'll get something together to illustrate, but no vlans.
Connectivity is 100% with the older version of the program, but the newest version causes this ONE printer to stop working. We have web, mail, database, apps, IPphones, etc routing through the internal interface - and it's only this ONE printer… Ricoh suggested something about a possible ARP flood or loop... but I think we'd be seeing more issues than the one printer.
KOM last edited by
Well, do a packet capture and filter based on the Ricoh IP address. Load it up in Wireshark and see what's going on.
"I'll get something together to illustrate, but no vlans. "
So your running multiple layer 3 over the same layer 2?? If so then yeah that is BORKED!! If you have multiple segments they either need to be completely physically isolated on different layer 2 devices, dumb switches different interfaces. Or you need to do with vlans and smart/managed switches that allow you to create the multiple layer 2 networks that way.
OK… I spoke too soon regarding the vlans. Yes, there is a vlan off our layer 3 switch that is the destination for the route via the LAN port on the pfsense router. This all works 100%. I've attached an image.
I did think of wireshark, but due to this link being a production one my testing was limited. I recall having issues, but will revist ASAP.
If your using a downstream layer 3 switch, then pfsense should not be routing traffic between these vlans. So this downstream L3 (router) should be connected to pfsense via a transit network. But it seems its connected on this vlan 1 your using for your other devices.
Andy you have a default gateway setup on pfsense for this 10.0.0/23 network?
Your going to run into asymmetrical routing problems in such a setup from what I can make of it.
We don't seem to have any routing issues… No dropping packets or anything. Everything from a layer 2 - 3 perspective is fine - even after the upgrade (pings, web, phones, etc) just printing protocols to this one ricoh doesn't work.
Are you saying i should be trunking that link between the pfsense and layer 3 switch (similar to this cisco image attached)?
That drawing is not using a downstream router..
You clearly could have asymmetrical routing problem in your shown config.. (see attached)
You have a computer on vlan 1 what is its gateway?? Pfsense or the L3 switch SVI on vlan 1? If your pointing it to the SVI on the switch there would not be asymmetrical when talking to the printer vlan. And if your client is pointing to the L3 as its gateway then pfsense would have ZERO to do with your client talking to your printer. But you would have a problem when tryinig to go to the internet. If your going to run in such a setup where you have hosts on what should be your transit then you need to do host routing.
How a L3 switch would normally be setup would be with transit that has no hosts on it.
So see 2nd attachment. Where you have a transit network that connects pfsense to your L3. Pfsense would be the default route for your L3, and pfsense would have a route for downstream networks on the L3 pointing to the L3 IP in the transit network.
Now your client(s) in this vlan off your L3 would use the SVI of the L3 as their gateway. So in your drawing the 10.0.0.43 IP..
Yea… The router was setup prior to any subnets, and we have a lot of 1to1 nating with public IPs, and IP based rules, so the new subnets pretty much just grew off the current config without a major overhaul.
The clients on the 10.0.0.0/23 do use the pfsense as their gw (10.0.0.1).
I do see with your first image what is happening... I have a feeling the Ricoh's don't like the routing for their printing as everything else works... Funny though - the Ricoh works as is, but the pfsense update must change something with routing a bit then.
hmm... I've attached another drawing just for the sake of it. I'll have to read up on the Host Routing you've mentioned... Some of these concepts are new to me.
Yeah your going to have asymmetrical routing problem for sure in such a setup.. What you need to do since the clients are using a print server is on the print server create a route statement that says if it wants to talk to 10.1.0/24 to use the L3 svi in the 10.0.0/23 network - ie that 10.0.0.43 IP.
That will remove your asymmetrical routing problem.
But the long term fix would be to connect pfsense to your L3 via a transit network that no hosts are on. This will remove the possibility of any asymmetrical routing conditions.
edit: another way to do it would be remove the L3 doing the routing and just route all your segments at pfsense via either more interfaces and untagged uplinks from your switch or via vlans. This might mean some hairpin traffic for some intervlan traffic but has the added benefit of allow for easy firewall rules between your network segments.
How many total vlans/networks do you have and how many interface available on pfsense? How many ports open on your switch? You could use different uplink for each network/vlan from the switch to pfsense to remove any hairpin traffic between vlans.
Hmm… Well - The current pfsense box has only 2 nics, but I've been considering some changes there as well.
Avoiding asymmetrical routing must be painful on networks with more routers. I'm going to have to review our entire setup here as we do have another route on the network here...
Is it possible to use the transit network for multiple routers?
Yes u could use a common transit for all your routers