Is it possible to allow AirPrint from one VLAN to another without Avahi?

imthenachoman

I want to keep things as locked down as possible and just allow printing.

I want all devices from VLAN10 be able to AirPrint to a specific printer on VLAN20. Right now I have all traffic between VLAN10 and VLAN20 blocked.

If I use Avahi I think it lets all broadcast through meaning devices on both VLANs will know about the devices on the other VLAN.

So it is possible to limit AirPrint traffic somehow?

johnpoz

@imthenachoman my solution to airprint - is put the airprint printer on the vlan you wll be airprinting from ;)

Other vlans (say not wireless for example) that are not using airprint can just point to the printer fqdn or IP.

The way you do not have to break the L2 boundry..

For for example devices that would airprint, my phones, tablets etc. Are on 1 of my wifi networks 192.168.2/24.. I just put the printer on this vlan with IP 192.168.2.50 and fqdn brother.local.lan

Now devices on this vlan can print and discover via airprint. My pc and etc on my other vlans just setup the printer via that fqdn or IP, and I allow traffic to the printer IP from those vlans.

There are also ways of setting up airprint to be found via dns entries, and not have to allow for actual L2 discovery.. But just putting the printer on your airprint vlan is way simpler ;)

imthenachoman

@johnpoz I know but I want my guests to be able to print. And I have my Brother printer on my IoT network cause I don't trust Brother devices security.

johnpoz

@imthenachoman I would assume guest vlan is pretty locked down as well right? So what does it matter if your printer on guest or some other locked down iot vlan?

My printer on my wifi vlan, can not do anything to any other vlan ;)

see my edit - there is a way to get it to work via just dns.. I had it working that way at one time.. If football wasn't on today I might be willing to play with setting up a sort of helpful hints sort of thing..

imthenachoman

@johnpoz I am not following.

• I have a trust VLAN with both wired and wifi devices
• I have a IoT VLAN where my printer is
• I have a guest VLAN with wifi deviecs

Wired printing from trust to IoT is a non issue -- just a few FW rules.

Wireless printing from AirPrint from trust and guest to IoT -- now that is where I'm lost.

johnpoz

@imthenachoman put your printer on guest.. Now you can print from guest, where you would have issue is printing from trust wifi using airprint - but if want to print just move over to guest network quick, etc.

Gertjan

Or :
Put devices that you want share among all networks on a dedicated (V)LAN.
Note the IP of every device on the (V)LAN that you want to share.
Add these IP's on every other (V)LAN as a 'pass. TCP only will do most probably.

No need for Avahi, you can "address" = use the IP of all the devices on that dedicated (V)LAN : you can print from any device, from the 'other' (except WAN) networks.
Or, why not, declare a host name for all these shared devices. Now you can use host names.

For convenience, add Avahi, make it include the 'dedicated' (V)LAN fore easier support.

@imthenachoman said in Is it possible to allow AirPrint from one VLAN to another without Avahi?:

cause I don't trust Brother devices security.

Had several of them on a dedicated print-network.
Never ever I saw them going 'out' doing strange things.
Ones every 24 hours to sync with the pfSense NTP. Maybe a check for a firmware upgraded ?
Anyway : you have a firewall ;) lock the printer a fixed (DHCP MAC LEASE) IP, and block it for visiting the outside world.
The will still print.

johnpoz

@gertjan said in Is it possible to allow AirPrint from one VLAN to another without Avahi?:

No need for Avahi, you can "address" = use the IP of all the devices on that dedicated (V)LAN

While I some what agree with you.. And yes this would be best sort of option. Problem is I am not aware of easy way to add a printer to say use in IOS devices be it via IP or fqdn..

Apple really thinks their users are too stupid for such an option ;) I am not aware of easy way to manually add a printer to IOS - do you know of a way? Or app that that would allow for that. My understanding is to print stuff from IOS you need to be able to "discover" it..

imthenachoman

@johnpoz said in Is it possible to allow AirPrint from one VLAN to another without Avahi?:

move over to guest network quick, etc.

I mean I could but that is hacky. I am sure there must be a way to do what I am trying without all that. I love a good challenge so I will try to figure it out. I hope I can figure it out. Heh.

@Gertjan You can't "add printer" from iOS. It only shows you printers it can "discover". I just need to figure out how exactly it discovers printers so I can allow that traffic.

Gertjan

@johnpoz said in Is it possible to allow AirPrint from one VLAN to another without Avahi?:

easy way to add a printer to say use in IOS devices be it via IP or fqdn..

Thought of that while writing my reply above : me neither. But that's more an iOS limitation.

@johnpoz said in Is it possible to allow AirPrint from one VLAN to another without Avahi?:

Apple really thinks their users are too stupid for such an option ...

Imagine the support department, explaining end users that they have to enter an IPv4 ... (or an IPv6).

@johnpoz said in Is it possible to allow AirPrint from one VLAN to another without Avahi?:

do you know of a way?

That will be a 'noop', as I never looked into it.

johnpoz

@gertjan said in Is it possible to allow AirPrint from one VLAN to another without Avahi?:

Imagine the support department, explaining end users that they have to enter an IPv4 ... (or an IPv6).

I get that, not saying this should be the only way to access a printer.. Just saying it should be an option.. The printer makers quite often provide a app for assigning their printer.. My brother printer does have an app for example, and there is one for HP printers I believe.. But those don't always integrate will with say printing from a browser..

To be honest the airprint via mdns is a bit convoluted. Lots of records need to be created, its just not 1 or 2 txt or A records, etc. Here is a post where some great details about how done with unbound is here..

https://www.reddit.com/r/PFSENSE/comments/gdi6h1/comment/fy1gnka/?utm_source=reddit&utm_medium=web2x&context=3

While have not validate his exact settings, etc. He is right on point about how to do it - you need the info for your printer hands back from a discovery, and then need to convert those to just dns entries. Which he shows. Sniffing for sure would be 1 way to get the info the printer is handing out..

Another way to get this info is to use avahi-browse, this should be something you can do from any linux client you would have..

example here is info from mine

root@NewUC:/home/user# avahi-browse _universal._sub._ipp._tcp -t --resolve --no-db-lookup
+   ens3 IPv4 Brother                                       _ipp._tcp            local
=   ens3 IPv4 Brother                                       _ipp._tcp            local
   hostname = [BRN30055C116AD9.local]
   address = [192.168.2.50]
   port = [631]
   txt = ["print_wfds=T" "UUID=e3248000-80ce-11db-8000-30055c116ad9" "TLS=1.0" "URF=SRGB24,W8,CP1,IS1-4,MT1-3-4-5-8-11,OB10,PQ4-5,RS600,DM1" "TBCP=F" "Transparent=T" "Binary=T" "PaperCustom=T" "Scan=F" "Duplex=T" "Copies=T" "Color=T" "usb_CMD=PJL,PCL,PCLXL,URF" "usb_MDL=HL-3170CDW series" "usb_MFG=Brother" "priority=25" "adminurl=http://BRN30055C116AD9.local./net/net/airprint.html" "product=(Brother HL-3170CDW series)" "ty=Brother HL-3170CDW series" "note=home" "rp=ipp/print" "pdl=application/octet-stream,image/urf,image/pwg-raster" "qtotal=1" "txtvers=1"]
root@NewUC:/home/user# 

When I have had some more coffee I will see if I can add that info and get it to work. But its so much easier just to put the printer on the vlan where you want to airprint from, and your other devices can just actually setup a printer and not have to use discovery ;)

I personally have no idea why anyone would want "guests" to be able to print ;) But doesn't really matter what vlan the printer is on - as long as who you want to use discovery to print too can join this vlan. And others that want to print can actually just setup the printer in their os..

That is if you do not want to break your L2 boundary and allow discovery via running avahi on pfsense. Which I am in agreement with, not a fan of allowing that.

Another option is to run a print server on this vlan you want to use discovery from, that can offer up the airprint info for a printer that it has access to. For example cups can do that, where you would run cups on your guest vlan. Have it offer this printer via discovery that it knows is on your iot vlan and can print too, etc.

There are always multiple ways to skin any cat, just need to figure out which way you like best ;)

imthenachoman

@johnpoz Don't stress this too much. I've got an edge use-case. I'll play with it when I have time. I'd hate to consume someone else's time with this. Thank you for all your help!

johnpoz

@imthenachoman said in Is it possible to allow AirPrint from one VLAN to another without Avahi?:

I'd hate to consume someone else's time with this

Dude I wouldn't do it - if it didn't interest me as well.. I just need some motivation to do it, helping someone else with their issues is normally motivation for me to sit down and skin the cat the other way ;)

Vs doing it the easy way...