Reaching a Printer over vlan trunk
-
Hi,
i have a problem with my pfSense Netgate 4100 with 24.03-RELEASE (amd64) and I hope, that someone can give a solution for that.My netplan is
Here are some screens of my pfsense configs.
Problem description:
PC1 can’t reach Printer with Ports like 40/443 etc.. ICMP (ping) works.Any Ideas?
-
@tomic why would you tag connection to printer - does the printer understand tags, did you set it for vlan 10 tag?
The connection to your printer should be untagged, ie an access port in vlan 10. Yeah the connection from netgate would tagged if you carry more than 1 vlan to and from that switch. And trunk to access point makes sense if you have multiple vlans per ssid on the AP, etc.
But to a single device like a printer it would be untagged almost always.
-
@johnpoz thank you for your response
The problem is also there if i connect the printer with the SSID with vlan10.
But i will give it a try and connect the printer on an untagged vlan port of the switch.Another aspect of my problem is, that the cisco switch is also not reachable in other networks but from pfsense fw.
PC (192.168.3.2x -----X----- Cisco Switch (192.168.2.2)
pfSense (192.168.2.1 -----OK----- Cisco Switch (192.168.2.2)
-
@tomic to your cisco switch, is that the management IP or is that an svi on some other vlan?
Did you set a gateway on your switch? Your not going to be able to talk to a device from another network if it has no gateway.. Also other issue could be mask is wrong on the switch, and it thinks your 192.168.3.x address local.
No gateway is another possible issue with printers.. Is the IP set on the printer or via dhcp.. If it was connected to a tagged port it prob wouldn't get an IP via dhcp, etc.
-
i included my cisco config
running-config.txti was not able to find an option, where i can set a gateway
-
@tomic you would set it in routing
Or with just the cli command
from conf t
ip default-gateway 192.168.9.253Where you would use your IP, which would be 192.168.2.1 I would guess
-
@johnpoz Thanks for the fast response - i tried the following, without success.
Here is the new route
Port VLAN Membership Table
VLAN 10 Members
What i also tried:
I connected my pc with the the vlan50 port of the switch. My PC got an ip 192.168.50.22 correct. Ping from this pc to the printer 192.168.10.44 works, but 80/443 etc. doesn't work.As you can see, the port (GE4) on the switch where the printer is connected has untagged vlan 10.
BUT: If i use my smartphone, which is connected to one of the Access Points in vlan10, i can open the ip of the printer in browser. So within vlan10 the communication works.
-
@tomic that route has zero to do with access to the printer.. That has to do with access to your switch for admin from another network
What are you firewall rules on interface your trying to access the printer from..
Your lan rules you posted - show that they have never even been evaluated.. See the 0/0 B in the states column
Does your printer have a gateway set - your not going to be able to talk to it if has no gateway.
-
What are you firewall rules on interface your trying to access the printer from..
- Allow any any on the LAN Interface and the specific vlan 10 interface
At the moment, all Firewall rules are set to allow all.
The GW on the printer is set to 192.168.2.1. I also tried 192.168.10.1, which is also set on the netgate 4100.
- Allow any any on the LAN Interface and the specific vlan 10 interface
-
@tomic well if the printer has a 192.168.10 address the gateway sure wouldn't 192.168.2.anything
-
@johnpoz as i described - i tried 192.168.2.1 and 192.168.10.1 as GW on the printer with the same result
-
@tomic why you would of ever thought 192.168.2 would be an option is concerning..
Sniff on pfsense on the vlan 10 interface when you try and access the printer... Do you see pfsense send on the traffic, if so then its not a pfsense problem.
Also validate your printers mask is correct for your vlan 10 network, if its 192.168/16 and your trying to talk to it from say 192.168.2.x then the printer would think hey that is local and would never send the traffic back to pfsense to be routed back to your client trying to access the printer.
Your saying ping works - that points to maybe your using the wrong port to access the printer gui? Or it doesn't like remote access.. Can you access the printer gui from something on the vlan 10 network? To validate the gui is even working or enabled..
If that works, and you show sniffing pfsense sending the traffic - you could always source nat so printer thinks pfsense IP on its own network is talking to it.
