Need help printing from one network to another
-
Good Morning,
Looking for some help on printing from different VLAN.
My Windows 11 host has IP address of 172.16.1.3. My printer is on 192.168.1.71. I created a rule allowing the host to pass through to printer. For some reason it's not working.
Originally I thought it was because of where I had placed the rule. One of my rules is to block all traffic from 172.16 to 192.168. First time around I had the print rule under that. I changed it so that it was above the block rule and it still didn't work.
What am I missing? Is it necessary to include the port as well? I was looking through system logs, but can't find where this process is taking place.
-
And these firewall rules are on what interface ?
The "172.16.1.x" network, the 192.168.1.x" network ? -
Firewall rules are on 172.16
-
What size subnet?
Those IPs are in the same /24 which would typically be the same subnet and hence not pass the firewall at all.
But assuming they are not the rule order is all wrong.
Nothing can ever hit that rule you added because there is a pass all rule above it.
The rule block all traffic to 'LAN subnets' above that may be blocking that print traffic anyway. The print rule would have to be above it as your arrow indicates.
-
Currently the 172.16 network is /29. Only 4 out of 6 addresses are being used.
I read in another post that @johnpoz made that the first rule to trigger wins. So if that's the case and I move the "Allow Print" rule above the "Block LAN Access" rule, I get the same result at this point. The traffic isn't passing. The packet capture at the bottom is my machine when I joined the 172.16 network.
-
Yup, sorry I totally read those IPs as being in the same /24 which of course they are not!
Yup so with the rule above everything else traffic from the host should hit it.
Those pings in the pcap are not hitting it though because the source there is 172.16.1.2 not .3. And because the printer rule is for TCP/UDP and not ICMP.
-
Thanks @stephenw10. I went ahead and changed the rule a little bit after you pointed out my mistakes. For now during the troubleshooting process it looks like this. Also, after changing it I ran another packet capture and it 's showing the same response as before. I also tried printing something from the printer application and I can't even see any of that traffic, just the ping request.
-
172.16.1.2 is the pfSense interface IP address?
That traffic should be from the test client in the 172.16 subnet. I had assumed that's what 172.16.1.2 was.
I would just set the source to 'any' as a test.
-
172.16.1.2 is my host IP address and 172.16.1.3 is another host on the network. Neither can reach printer.
Also, I changed the source to any and that didn't open it up either.
-
Do you see it passing traffic on the rule at least? The packet/state counters are above zero?
-
@nosenseatall you sure your printer has a gateway set, and it points to pfsense IP on the 192.168.1 network?
Yo won't be able to talk to a printer on another network, if the printer has no gateway.. The correct fix is to set a gateway. A work around if you can not do that is do an outbound nat on your printer network interface, so the printer thinks the traffic is coming from pfsense IP on the same network as the printer.
-
@stephenw10 I am not sure I know where to get the information to answer your question. When I look at the rule I see 0/0b. Is that what you're referring to?
-
@johnpoz These are the printer settings.
-
@nosenseatall that is good you have a gateway, and assume 192.168.1.1 is pfsense IP on that network.
Your rule below your any any is pointless.. Your any any rule would allow access to anything..
So you must be blocking access before it.. What networks are in that pfb_pri alias? Is this printer on your lan subnet? Or any of your other blocks? Do you have any rules in floating?
I would look in the diag table section for what is include in that top pfb rule..
-
@johnpoz "A work around if you can not do that is do an outbound nat on your printer network interface, so the printer thinks the traffic is coming from pfsense IP on the same network as the printer."
Would you mind showing me what that would look like? I haven't done something like that yet.
Thank you!
-
@nosenseatall I could show you but unless your printer just isn't answering because the source is not allowed by the printer or it was sending it to some other gateway (not pfsense) that wouldn't do any good.
Sniff on on your pfsense 192.168.1.1 interface, and do you ping test again... Do you see the traffic sent to the printers IP 192.168.1.71 but don't get a reply.
Your sniff showing the pings seems to be on the source interface of where pfsense is seeing the ping it should route to the printer.
I would guess your just blocking the traffic with the pfb alias rule on the very top, or one of your other rules that are blocking? or you have something in floating..
If you show the traffic leaving pfsense to the printer in the sniff on 192.168.1.1 interface.. And you validate that is sending to the correct mac but just don't get an answer, sure happy to walk you through how to do the outbound nat thing.. But your printer has a gateway, so it should allow to print to it from any of your networks as long as you allow it in the firewall rules.
It would be like this, but with your specific interface and networks.
Doing it to directly access my cameras - because they point to the nvr as their gateway.. So to directly get to them I make the traffic look like it comes from pfsense IP address in the cam network.
-
You should see some bytes and states on that rule if it's at the top of the list. When the host in 172.16.1.X subnet tries to connect to the printer. Or if you just try to ping the printer manually.
-
"assume 192.168.1.1 is pfsense IP on that network" - that is correct
"Your rule below your any any is pointless.. Your any any rule would allow access to anything.." - Are you referring to this?
"What networks are in that pfb_pri alias?" The 38267_Alt is the only network associated with pfBlocker at the moment.
"Is this printer on your lan subnet?" - Yes 192.168. is LAN network
"Do you have any rules in floating?" - This is the only one
-
@nosenseatall said in Need help printing from one network to another:
"What networks are in that pfb_pri alias?"
This rule
Look in your table for that alias.. Doe it contain rfc1918 space or your 192.168.1 network
And seems you keep changing your rules? If that is your lan interface, is there where the 172.16.1.3 client is, what network is your 192.168.1.71 printer on?
Your rules to allow 172.16.1.3 should be on that networks interface.. That rule your showing is not allowing icmp so you ping test would not work..
edit: here
The rules to allow .3 to talk to your printer should be on that interface.. What rules you have on the 192.168.1.1 make no matter you could have zero rules there and .3 could still talk to your printer if rules on pfsense 172.16.1.1 interface allow it. And printer allows it and points its gateway back to pfsense 192.168.1.1 address..
-
Thank you ALL for your help.
Something in pfBlocker is causing the problem.
When I disabled it, everything started working. I re-enabled pfBlocker and put the allow print rule above it and were still good to go.
