Can't print from wireless VLAN to printer on LAN

jeffboyce

pfSense is my network gateway and router. I have a couple of VLANs setup on my network (wired LAN, private wireless, guest wireless, and IOT stuff).

I recently had to move my office desktop to another room in the house while we are having some remodeling done. My desktop used to be connected to the wired LAN, but now is only connected to the private wireless network. The printer has remained connected to the wired LAN. Since moving my desktop to the private wireless network, I can no longer print documents from my desktop.

This may be solvable by changing the network settings on the printer. But I don't want to go that route as I would like to be able in the future to print from selected wireless devices in the house to the wired printer when things get re-arranged back to normal.

I am not sure whether I need to make changes to the routing, or whether I need to make changes to firewalling between VLANs. Where should I be looking to see why a print job isn't getting to the printer?

From my desktop I can ping the printer by IP and by name. I can also pull up the web interface of the printer at the desktop. The desktop has already been setup to print to the printer when it was connected to the wired LAN.

Network details:
Wired LAN 192.168.123.0/24
Private Wireless 192.168.124.0/24
Printer IP 192.168.123.11
Desktop Wireless IP 192.168.124.150

If you need any additional information to provide guidance please let me know. Thanks.

Jeff

DaddyGo

@jeffboyce said in Can't print from wireless VLAN to printer on LAN:

From my desktop I can ping the printer by IP and by name. I can also pull up the web interface of the printer at the desktop. The desktop has already been setup to print to the printer when it was connected to the wired LAN.

Hi,

but now the situation has changed because of this

Wired LAN 192.168.123.0/24 to Printer IP 192.168.123.11 OK
Desktop Wireless IP 192.168.124.150 to Printer IP 192.168.123.11 ---- hmmmm?

Pls., so make a good rule for this .124. to .123. / and all will be well again

jeffboyce

Thanks for helping me narrow it down to firewall rules. Your suggestion is pretty much what I was thinking I would need if it was a firewall issue and not routing. But looking at my firewall rules it looks like I already have that covered, unless I am mis-understanding my rules.

Here is what I have in my wired LAN rules. There is a default allow LAN to anywhere rule.

And here is what I have in my private wireless LAN rules. A default allow private wireless LAN to anywhere rule.

Do I need something more specific? And it is unclear to me under which LAN the rule should go, the wired LAN or the private wireless LAN?

Jeff

DaddyGo

@jeffboyce said in Can't print from wireless VLAN to printer on LAN:

Do I need something more specific?

I have a similar (nearly similar) rule for accessing the MGMT of a VOIP ATA unit on another interface, this can be a good starting point, here I only allow a source IP address to a destination IP address...

interpret it for your case and you can even control a whole subnet (f.e.: with aliaseses) , because of the printer, to other devices on other interfaces

f.e.:

jeffboyce

Ok I put in some specific firewall rules hoping that take care of it, but alas still not printing. And I am really befuddled because I am not seeing anything show up in the logs that would give me a hint of what is going on.

I progressively added rules on the LAN vlan, and also the private wireless vlan, with logging, until I though I had all bases covered. Still no printing. Here are my current rules for the LAN and the private wireless vlan showing that I have opened up the firewall both directions from both vlans.

For reference by desktop is at 192.168.124.150 and the printer is at 192.168.123.11.

johnpoz

How exactly are you setup to print to this printer? Airprint? That is not going to work across vlans because you can not discover it.

I print from my PC to my printer on another vlan just fine.. But I have my printer setup to print to the actual IP/FQDN of the printer.. No discovery is needed.

I take it when you ping or access the gui of the printer your using the ip/fqdn to access and not a discovery method?

The only rules that would be needed is on the interface the PC is on, any return traffic would be allowed by the state. No return rules are needed on the interface the printer is on.

My pc is on my lan 192.168.9.100, my printer is at 192.168.2.50, this is my trusted wifi network, but the printer is wired on this vlan.

jeffboyce

When I brought my work computer home at the beginning of COVID I just added / installed the printer driver for it through the standard Windows printer setup process (desktop system is Win7 and both were on the same wired vlan at that time). Recently I had to move my desktop to another room, where it is now connected to my home network via the private wireless vlan (through a Ubiquiti WAP). The printer is still connected to the wired vlan.

I am not familiar with what Airprint is so I can't respond to that. The printer does not have a wireless network connection, only the wired one.

But, following your lead I started looking at the printer properties and discovered that the printer is listed as using a WSD port on my desktop. I had never seen this before (and I manage the computer systems for my company's small office). After doing a little research I suspect this WSD port is the cause of my problem. I suspect that once I change this to a standard TCP/IP port my problem will go away. Although my initial research seems to indicate that WSD ports seem to reappear with Windows updates. This is now making sense as to why I was not finding any information in my log files.

I will come back with more updates or my solution after looking at this further. Thanks for the hint of where to look johnpoz.

Jeff

johnpoz

@jeffboyce said in Can't print from wireless VLAN to printer on LAN:

printer is listed as using a WSD port on my desktop

That is a multicast discovery protocol - that is not going to work across vlans.

https://en.wikipedia.org/wiki/WS-Discovery

If you point your pc to the IP of the printer, or the fqdn you have setup on your network you should have no problems.

jeffboyce

Solved.

Thanks johnpoz, this has solved it for me. I deleted the WSD printer port and setup the printer using fqdn and everything just works. No need to have any additional or specific firewall rules between my vlans other than what I originally had. I was even able to get the MacBook to print now, which (grumble, grumble) took a little more finesse. I then updated my Win10 box, and the update did not change my printer port, so that is promising that it will stay that way.

Jeff

johnpoz

@jeffboyce glad you got it sorted..