HP printer across VLANs

francisferrell

My setup is pfsense, a unifi switch, and a unifi AP. I've configured 2 vlans, trusted and guest. In the unifi controller, trusted is a corporate LAN and guest is vlan only. Moreover, the wifi settings in unifi are exactly the same (most importantly: "block lan to wlan broadcast" is disabled for both wifi networks).

My printer is wired to the trusted network and I'm trying to give guest access to it. Printing is working, but mDNS discovery is not. Given that it's the guest network, I want discovery to work.

I have installed avahi on pfsense and enabled reflection.

Here are my trusted firewall rules

Here are my guest firewall rules:

As you can see, I've been fiddling with specific rules for guest rules; but I've done all this testing with that "allow everything" turned on and the more specific rules disabled.

I'm testing with 2 clients: a Linux laptop and an Android phone. I'm using a chromecast also for comparison.

Here are the symptoms I observe:

Linux wired trusted: discover works, printing works
Linux WIFI trusted: discovery works, printing works
Linux wired guest: discovery works, printing works
Linux WIFI guest: no discovery, printing works (if I set it up manually or let avahi cache from when it did discovery on trusted)

Android WIFI trusted: discovery works, printing works
Android WIFI guest: no discovery, haven't tested printing

For comparison, with the chromecast:

Android WIFI trusted: discovery works, casting works
Android WIFI guest: discovery works, casting works

Given that both firewalls are wide open, I don't think the pfsense firewall is at fault.
Given that discovery works when wired into guest, I don't think that pfsense's avahi is at fault.
Given that printer discovery works on trusted WIFI, I don't think that the unifi AP is at fault.
Given that chromecast discovery works on trusted and guest WIFI, I don't think anything is at fault.

This is driving me crazy. What am I missing?

JKnott

@francisferrell

MDNS uses multicasts and multicasts are not normally passed by routers, unless specifically enabled. So, that means mDNS will not be passed between VLANs.

francisferrell

@JKnott thanks for the quick reply, but maybe you have missed a few points in my post.

I have installed avahi on pfsense and enabled reflection across the trusted and guest vlans.

Also, discovery of the printer is working on the guest side when wired.

Also, discovery of the chromecast works in all 4 use cases (wired and wifi, trusted and guest).

JKnott

@francisferrell

Well, time to do some packet captures, to see where it fails. You can run Wireshark on the computers and Packet Capture on pfsense.

francisferrell

It started working even though I haven't changed anything in my config.