Access IPP printer on different subnet | CUPS on TrueNAS jail

NinthWave

Since I migrated from cheap customer Wifi router to pfSense, I am trying to secure my home network as much as possible.

I found on shodan that a consumer grade printer can act as a backdoor entry for an attack.

By default, the printer has 15 different running protocols.

Actual network

• LAN = 10.0.0.0
  • pfSense
  • PC
  • TrueNAS server
• vlan 100 = 10.0.100.0/24, just for the teenager that runs cheats and other potential hazard
• vlan 110 = 10.0.110.0/24 for private Wifi clients
• vlan 10 = 10.0.10.0/24 for IOT clients (VoIP, TVboxes, Music Streamer
• vlan 20 = 10.0.20.0/24 for the printer alone
• vlan 15 = 172.16.115.0/24 for Wifi guests clients

Problem with actual hardware
I have a Brother DCP-L2540DW with USB, ethernet and wifi connectivity.

The printer cannot be connected on both ethernet and wifi at the same time.

The "Brother Print Services" on Android requires that the printer be on the same Wifi network than the client (hence, no VLAN discovery)

My girfriend, wants to print from her iOS devices (vlan110)
Her son wants to print from his PC (vlan100)

I read this similar thread: access-lan-printer-on-guest-vlan

Setup

• I have installed CUPS on a jail on TrueNAS (FreeBSD like pfSense).

• I have installed the Avahi package, listening to all interfaces

As long as my WAPs were on LAN, it worked.
As soon as I moved the AP on vlan100, the clients see the printer but it's unavaible.

I am not a networking expert but I gathered that "broadcast" is not easily sent trough vlans.

Like @johnpoz said in the thread I linked, I could just put the printer in the Wifi vlan but I'd prefer the CUPS way if possible

Any options here?

JKnott

@ninthwave said in Access IPP printer on different subnet | CUPS on TrueNAS jail:

I am not a networking expert but I gathered that "broadcast" is not easily sent trough vlans.

No, VLANs handle broadcasts just fine. It's routers that don't pass broadcasts.

NinthWave

I have this rule in vlan=wifi

Maybe this can help CUPS Firewalls

So should I do something in pfSense to allow the communication through various vlans or;

Should I do something on CUPS to allow listening trough vlans

#
# Sample configuration file for the CUPS scheduler.  See "man cupsd.conf" for a
# complete description of this file.
#

# Log general information in error_log - change "warn" to "debug"
# for troubleshooting...
LogLevel warn

# Deactivate CUPS' internal logrotating, as we provide a better one, especially
# LogLevel debug2 gets usable now
MaxLogSize 0

# Only listen for connections from the local machine.
#Listen localhost:631
Listen /var/run/cups/cups.sock
Port 631


# Show shared printers on the local network.
Browsing On
BrowseLocalProtocols dnssd
BrowseRemoteProtocols CUPS dnssd
BrowseAddress @LOCAL

# Default authentication type, when authentication is required...
DefaultAuthType Basic

# Web interface setting...
WebInterface Yes

# Restrict access to the server...
<Location />
  Order allow,deny
  Allow all
</Location>

# Restrict access to the admin pages...
<Location /admin>
  #Order allow,deny
</Location>

# Restrict access to configuration files...
<Location /admin/conf>
  AuthType Default
  Require user @SYSTEM
  Order allow,deny
</Location>

# Set the default printer/job policies...
<Policy default>
  # Job/subscription privacy...
  JobPrivateAccess default
  JobPrivateValues default
  SubscriptionPrivateAccess default
  SubscriptionPrivateValues default

  # Job-related operations must be done by the owner or an administrator...
  <Limit Create-Job Print-Job Print-URI Validate-Job>
    Order deny,allow
  </Limit>

  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

# Set the authenticated printer/job policies...
<Policy authenticated>
  # Job/subscription privacy...
  JobPrivateAccess default
  JobPrivateValues default
  SubscriptionPrivateAccess default
  SubscriptionPrivateValues default

  # Job-related operations must be done by the owner or an administrator...
  <Limit Create-Job Print-Job Print-URI Validate-Job>
    AuthType Default
    Order deny,allow
  </Limit>

  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
    AuthType Default
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    AuthType Default
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

or

both ?

r801248

@ninthwave said in Access IPP printer on different subnet | CUPS on TrueNAS jail:

The "Brother Print Services" on Android requires that the printer be on the same Wifi network than the client (hence, no VLAN discovery)

@NinthWave - I have a Brother MFC-L2710DW on a VLAN. The Brother Mobile Connect does not let you print unless you're on the same subnet, but the Brother iPrint&Scan app does. I use it on my iPhone and on every PC & Laptop on the network. Hope this helps.

P.S. I don't use the Discovery feature but enter the IP manually.

Gertjan

@ninthwave

I have a pfSense with two LAN's : one for the company, with all the ethernet printers, and a second quest LAN (using the captive portal).
I have a firewall rule on this second LAN that permits to contact user from the captive portal to contact the IP's of my printers.

I've installed Avahi, so phones and devices can discover network services.
This is what they see :

btw : no need for 'cups' ....