Printer on Separate VLAN Issue

stevencavanagh

Hi,

Had a look through previous posts for this but nothing that came up solved the issue. I have a Xerox C315 printer which was connected to the IOT network and all worked fine, including the "remote services - communications".

Created a new VLAN for the printers and added the same firewall rules as for the IOT (well relevant ones anyway!) and although I can print, ping and get to the admin page via IP Address, it constantly moans at me indicating that the "Remote Services - Communications failed". This has been temporarily disabled to allow printing until resolved.

The printers VLAN is 192.168.80.1 (gateway) and the gateway of the printer is showing as 192.168.80.1, which I assume is correct with all being done via DHCP.

Avahi is installed but hasn't solved the issue.

Any help appreciated
Steve

Popolou

@stevencavanagh Sounds like the printer is attempting to connect to Xerox's back-end remote servers for print and device management purposes but is being blocked at the firewall. I suspect your IoT network permitted unhindered access to the 'net but the new vlan you created for it blocks connections to the host support.xerox.com.

Check your router to see what services it is running (like pfBlocker) and if it is monitoring that vlan.

Gertjan

@stevencavanagh

Like @Popolou : your printer is telling you it "needs something, but you, with your (put in placve by you) firewall rules say NO, and now you want advice for what to do ?
Yes or No, you have to choose.

First, you have to know what the printer 'needs'.
Leave the printer at DHCP client mode, and create a DHCP MAC Lease on the LAN interface with host name for the printer. From now on, it will always have the same IP - and a host name for free.
Add at the top of your LAN a pass all firewall rule, with the source IP, being the printer.
Make this rule log.
From now on, every visit 'to the outside' will get logged.
You see lines which uses destination port 53 ? It DNS - probably only to the VLAN pfSense IP.
It goes to destination port 123 ? Same thing, normally only the pfSense IP (if yo have set NTP to use this IP - as this one probably doesn't get set by DHCP).
Every other (remote) IP : reverse DNS them, and se who/what they are. Mostly the printer looking for a possible update/upgrade ?
From now on, up to you to decide, with more adapted firewall rules, what your printer can visit you are the admin, you choose !

@stevencavanagh said in Printer on Separate VLAN Issue:

Avahi is installed but hasn't solved the issue.

Avahi can be useful so other devices on other LAN networks can 'discover' the printer. And discover here has nothing to do with being able to actually contact the printer.
Your firewall rules on these other LANs decide if these devices can actually access the printer.

stevencavanagh

@Gertjan

I have exactly the same rules on the Printer VLAN as on the IOT VLAN??

The printer always gets the same IP address (static mapping).

Added the pass all rule as requested but still has an issue.

Steve

Popolou

@stevencavanagh Xerox detailed how their devices connect here and should give you a way to investigate connectivity via the fw logs. The printer connects via TLS on 443 so i doubt you are blocking that which would suggest it could be the other ports or the hostname.

Repeating myself here but what packages are you running?

Gertjan

@stevencavanagh said in Printer on Separate VLAN Issue:

Added the pass all rule as requested but still has an issue.

A pass rule for that printer IP - select the IP of the printer as the source IP.
And make the rule log.
Now, whenever the printer goes out shopping, you have a trace.

Ones the pass rule is in place, the printer can go out.
If it still can not connect, you have other issues.

As you've mentioned VLANs, no need to look very long : ditch all your VLANs, and suddenly things start to work ^^

stevencavanagh

@Popolou

Apologies, forgot to document the packages running!

Avahi, Darkstat, freeradius3, iperf, mailreport, nut, openvpn-client-export, pfBlockerNG, squid, squidGuard, Status_Traffic_Totals

Not particularly familiar with PfBlockerNG, so anything I should be looking for and where. Can't see anything obvious though.

stevencavanagh

@Gertjan

Checked the firewall logs and have nothing being blocked at all! Assume there must be other issues but God knows what!

the other

@stevencavanagh
Just guessing here...you mentioned pfblocker...any logs show anything there?
Do you use GeoIP blocking outbound?

Logs for pfblocker: Firewall > pfblocker there Logs set to ip_block.log and have a look at what's been blocked so far.

Gertjan

@stevencavanagh said in Printer on Separate VLAN Issue:

Checked the firewall logs and have nothing being blocked at all! Assume there must be other issues but God knows what!

With these two rules (ignore the first rule) :

pfSense can't block any traffic with these two rules.

And yeah, @stevencavanagh is right, if you use pfBlockerng you better check if that one - as per your instructions ! - block DNS requests or IPs ....

stevencavanagh

@the-other

Nothing showing in the Pfblocker logs........

Popolou

@stevencavanagh said in Printer on Separate VLAN Issue:

@Popolou

Apologies, forgot to document the packages running!

Avahi, Darkstat, freeradius3, iperf, mailreport, nut, openvpn-client-export, pfBlockerNG, squid, squidGuard, Status_Traffic_Totals

Not particularly familiar with PfBlockerNG, so anything I should be looking for and where. Can't see anything obvious though.

@stevencavanagh I'd investigate within pfB first. Depending on what blocklists you have, it could be that the aforementioned hostname is on the list. Also, investigate the "IP Interface/Rules Configuration" tab under the IP setting: it is possible you didn't set the package to monitor the IoT vlan which could indicate why the device was able to access those servers without restriction. Another test is to join that vlan and test to see if you can reach the same remote host just as the printer would.

stevencavanagh

@the-other

The pfblocker logs appear to be all empty!

stevencavanagh

@Gertjan

Implemented those 2 rules but no change!

Gertjan

@stevencavanagh said in Printer on Separate VLAN Issue:

The pfblocker logs appear to be all empty!

What log ?

Goto this page :

and hit Ctrl-F, type in the IP LAN of the printer, and see what pops up.

Also check the "Unified" log, look under "SRC".

@Popolou said in Printer on Separate VLAN Issue:

squid, squidGuard,

Now all bets are off .... you just opened up a whole swimming pool full of potential issues

stevencavanagh

@Gertjan

Checked logs as described and nothing at all with the printer ip address

the other

@stevencavanagh
well, tried to disable snort and co for a test to be sure THAT is not interfering?
Are (after that change from Vlan IoT to Vlan Printer) the printer's DNS settings okay? In case DNS info is not sent by dhcp...

stevencavanagh

@the-other

DNS settings seem fine.........

Popolou

@stevencavanagh If the printer is set to DHCP but it is getting those DNS, you got other more fundamental problems to investigate tbh.

stevencavanagh

@Popolou

Such as?