Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SMB | Two Vlans

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    10 Posts 7 Posters 314 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yuriewcli
      last edited by

      Hi,

      Am I missing something?

      I'm trying to access SMB protocol from vlan1 to vlan2.
      But it can't.

      Already set rule to allow SMB protocols TCP 445, 139.
      I also tried to set the protocol to "any".

      Ping are okay.

      The device is printer(with scanner) from vlan1.. and a computer in vlan2
      The scanned file should store the document to vlan2

      S JKnottJ 2 Replies Last reply Reply Quote 0
      • Y
        yuriewcli
        last edited by

        Hi.. Please, I need your expertise, I'm stuck for weeks already.
        We have installed a centralized printer - XEROX ALTALINK 8035 in the office with assigned IP: 10.0.11.3

        Our office has been setup to have vlan for each dept.
        For the sake of the discussion, i'll say IT dept network range is 10.0.12.0/24.
        Support Dept is 10.0.11.0/21 where the printer is also connected.

        Now, the thing is, printing is okay, we can print from IT dept. But we can't scan.
        We are using SMB protocol.
        In case needed, yes, Support Dept can scan thru SMB protocol.

        As for the rules. I already used "any" protocol aside from SMB ports (445 and 139)

        Rule 1
        Source: Printer IP
        Dest: IT
        Protocol: Any

        Rule 2
        Source: Printer IP
        Dest: IT
        Protocol: TCP
        Port: 445, 139

        Rule 3
        Source: Support subnets
        Des: IT Subnets
        Protocol: any

        Please help !!

        patient0P GertjanG 2 Replies Last reply Reply Quote 0
        • S
          slu @yuriewcli
          last edited by

          @yuriewcli

          1. Diagnostics / Packet Capture and limit it to the source or destination ip
          2. Don't limit it to the ports, try if it works and click onto the states to see what protocol / port was used

          pfSense Gold subscription

          Y 1 Reply Last reply Reply Quote 0
          • patient0P
            patient0 @yuriewcli
            last edited by

            @yuriewcli please don't double post and this is not the right place. But you provided more helpful infos than in the other thread.

            @mods can you merge this with https://forum.netgate.com/topic/196932/smb-two-vlans ?

            1 Reply Last reply Reply Quote 0
            • patient0P patient0 referenced this topic on
            • JKnottJ
              JKnott @yuriewcli
              last edited by

              @yuriewcli

              How are you trying to connect? If you're waiting for the server to just appear, it won't, as that requires broadcasts which are not passed through a router. You have to use the IP address.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Merged.

                Yes, probably needs a different port. 9400 perhaps.

                Y 1 Reply Last reply Reply Quote 0
                • Y
                  yuriewcli @slu
                  last edited by

                  @slu hi.. i did the packet capture.
                  output.png ![alt text](image url)

                  i don't understand this though ..

                  1 Reply Last reply Reply Quote 0
                  • Y
                    yuriewcli @stephenw10
                    last edited by

                    @stephenw10 i tried this.
                    TCP port 9400, still didn't pass through

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator @yuriewcli
                      last edited by johnpoz

                      @yuriewcli not sure why you wouldn't show the IPs - would assume they are rfc1918, but there is not much can tell you from what you posted.. Other than whatever you were talking to on 443, which is https - not smb nor printing is sending you a FIN, ie done with this conversation.

                      If where are you placing those rules you list? Rules are evaluated on the interface traffic enters pfsense - if the source is printer IP, that would be on the printer vlan/network interface..

                      the support subnets would need to be on the support vlan/network interface.

                      If you have any rules - those other rule is going to be meaningless your already allowing any, not sure how allowing 445 or 139 wouldn't be included in ANY ;)

                      Your issue is not related to rules if you have an ANY rule that is for sure... Doe these rules force traffic out a gateway??

                      Do you have any floating rules? If you say you can print from any network to these printers.. But can't scan - and your using any rules points to something else being wrong, like scanning is not setup correctly, etc. Where is the printer suppose to do with its scan, where is it suppose to store the scan via smb? On the clients machine, on some file share?

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      1 Reply Last reply Reply Quote 0
                      • GertjanG
                        Gertjan @yuriewcli
                        last edited by

                        @yuriewcli said in SMB | Two Vlans:

                        For the sake of the discussion, i'll say IT dept network range is 10.0.12.0/24.
                        Support Dept is 10.0.11.0/21 where the printer is also connected.

                        Now, the thing is, printing is okay, we can print from IT dept. But we can't scan.

                        First : 10.0.11.0/21 : are you sure about that /21 ?
                        Without firing up my network calculator, this /21 might overlap your 10.0.12.0/24 .... introducing network issues.

                        A device, lets imagine a Windows PC, living on 10.0.12.0/24 can connect to a device on 10.0.11.3/24 (the printer) : it can print. If SMB doesn't seem to work : use the printer IP, and your good.
                        Or assign a local DNS host name to "10.0.11.3" and use that wherever possible.

                        The other way around : the scanner : did you check that the destination of the scanner, as it is a device living outside of the local (printer's point of view) is reachable ,
                        Windows devices, afaik, only accept, by default SMB traffic from their own local network, like 10.0.12.0/24 only.
                        You have to visit the Windows firewall on that PC, and add other networks like 10.0.11.0/24.
                        Normally, you should have a shared directory on the PC so the scanner can access it and drop the image or PDF scanned files.

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.